From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 18 11:02:28 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD29216A4D6 for ; Mon, 18 Oct 2004 11:02:28 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A03CF43D2F for ; Mon, 18 Oct 2004 11:02:28 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i9IB2SJN048521 for ; Mon, 18 Oct 2004 11:02:28 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i9IB2Rxp048516 for ipfw@freebsd.org; Mon, 18 Oct 2004 11:02:27 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 18 Oct 2004 11:02:27 GMT Message-Id: <200410181102.i9IB2Rxp048516@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 11:02:28 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 18 21:57:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1477616A4CE for ; Mon, 18 Oct 2004 21:57:06 +0000 (GMT) Received: from mx2.nttmcl.com (MX2.nttmcl.com [216.69.68.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFB8943D2D for ; Mon, 18 Oct 2004 21:57:05 +0000 (GMT) (envelope-from henrysu@nttmcl.com) Received: from nttmcljlsjk7s3 (dhcp227.nttmcl.com [216.69.69.227]) i9ILusGu019715; Mon, 18 Oct 2004 14:56:59 -0700 From: "Henry Su" To: "James Davis" , "Steve Bertrand" Date: Mon, 18 Oct 2004 14:56:57 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: Importance: Normal Received-SPF: pass (mx2: domain of henrysu@nttmcl.com designates 216.69.69.227 as permitted sender) X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on mx2.nttmcl.com cc: freebsd-ipfw@freebsd.org Subject: RE: Bridging and transparent web-cache X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: henrysu@nttmcl.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 21:57:06 -0000 You maybe can try rules like this: ipfw add 150 fwd 127.0.0.1,squid_listen_port tcp from any to any dst-port 80 in ipfw add 160 allow tcp from me to any dst-port 80 From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 19 21:21:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F136816A4CF for ; Tue, 19 Oct 2004 21:21:51 +0000 (GMT) Received: from mx2.nttmcl.com (MX2.nttmcl.com [216.69.68.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9735643D2D for ; Tue, 19 Oct 2004 21:21:49 +0000 (GMT) (envelope-from henrysu@nttmcl.com) Received: from nttmcljlsjk7s3 (dhcp227.nttmcl.com [216.69.69.227]) i9JLLmWp029673; Tue, 19 Oct 2004 14:21:49 -0700 From: "Henry Su" To: "Candy" , Date: Tue, 19 Oct 2004 14:21:49 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <20040516000406.23044.qmail@web50804.mail.yahoo.com> Importance: Normal Received-SPF: pass (mx2: domain of henrysu@nttmcl.com designates 216.69.69.227 as permitted sender) X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on mx2.nttmcl.com Subject: RE: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: henrysu@nttmcl.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 21:21:52 -0000 You can write a C/Perl program to do that. The program can run system command "ipfw add 1200 allow ip from a to b" etc based on your trigger. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Candy Sent: Saturday, May 15, 2004 5:04 PM To: freebsd-ipfw@freebsd.org Subject: Hi all, I am currently doing a project whereby I am required to tweak the ipfw parameters such as ip addresses, port number etc. I would like to check whether there are any APIs available for the ipfw to do this job? Or do you have any suggestions to how to tweak the values without the adminstrator to do it manually? I want the whole tweaking process to be automated. For example, when functionA passes the source and destination ip addresses to functionB (the action is "block" by default unless otherwise stated), functionB should be able to amend the ipfw parameters by some automated means. Hence I am looking for solutions to those automated means. Please help me with this. Thanks in advance. Regards, Candy --------------------------------- Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 14:19:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3259016A4CE for ; Wed, 20 Oct 2004 14:19:39 +0000 (GMT) Received: from smtp-bedford.mitre.org (smtpproxy1.mitre.org [192.160.51.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B80443D39 for ; Wed, 20 Oct 2004 14:19:38 +0000 (GMT) (envelope-from feighery@mitre.org) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.11.6/8.11.6) with SMTP id i9KEJb017095 for ; Wed, 20 Oct 2004 10:19:37 -0400 Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (Postfix) with ESMTP id 6D67EBF86 for ; Wed, 20 Oct 2004 10:19:37 -0400 (EDT) Received: from MAILHUB2 (mailhub2.mitre.org [129.83.221.18]) by smtp-bedford.mitre.org (8.11.6/8.11.6) with ESMTP id i9KEJbY17016 for ; Wed, 20 Oct 2004 10:19:37 -0400 Message-Id: <200410201419.i9KEJbY17016@smtp-bedford.mitre.org> Received: from mm110211-pc.mitre.org (128.29.14.12) by mailhub2.mitre.org with SMTP id 5348562; Wed, 20 Oct 2004 10:19:30 -0400 From: "Patrick D. Feighery" To: Date: Wed, 20 Oct 2004 10:19:30 -0400 Organization: The MITRE Corporation MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Thread-index: AcS2r8/mHLeOtEp8Rm2QIL1mZO3iRg== Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: "'Patrick D. Feighery'" Subject: Divert and IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 14:19:39 -0000 I have created a transparent transport layer Performance Enhancing Proxy (PEP) application to increase the performance of TCP applications over satellites and other challenged environment based on the SCPS transport layer protocol (www.scps.org). This PEP works by spoofing TCP applications. Essentially, when the PEP see an incoming SYN, it spoofs the connection and creates two separate transport layer connections, one to the end system and a second with an enhanced version of TCP with parameters more appropriate and tuned for the challenged resource. The peer PEP on the far end of the challenged resource, terminates the enhanced TCP connection and opens up a third TCP connection to the actual destination. Only the source and destination IPv4 address are present in the IP packets that are sent though the network. I have used the divert utility with great success to pass packets to/from kernel and application space in the PEP boxes. When I ported this application to Linux, I created a version based on the TAP interface and bridging. A side effect of this method is PEP sees all traffic. Now I have been tasked to port this application to IPv6. What is the status of divert for IPv6? From some postings it does not appears to be production quality yet. If not, are there other techniques that I could use to pass data between the kernel and application space. My initial implementation would assume no extension headers are present. Just for some background here are the divert rules from the IPv4 version of the PEP, 10.20.2.4 and 10.20.4.4 and the IP addresses associated with sis0 and sis1 of the PEP box. loo4# ipfw show 10002 0 0 allow ip from any to 10.20.2.4 10003 0 0 allow ip from any to 10.20.4.4 10004 0 0 allow ip from 10.20.2.4 to any 10005 0 0 allow ip from 10.20.4.4 to any 10006 0 0 divert 53000 tcp from any to any in recv sis0 setup 10007 0 0 divert 53001 tcp from any to any in recv sis1 setup 10008 0 0 divert 52000 tcp from any to any in recv sis0 10008 0 0 divert 52000 tcp from any to any in recv sis1 65535 401940 346429780 allow ip from any to any And help would be greatly appreciated. Best Regards Pat Feighery feighery@mitre.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 15:15:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A89A516A4CF for ; Wed, 20 Oct 2004 15:15:11 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7414643D45 for ; Wed, 20 Oct 2004 15:15:11 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id i9KFFuLR014270; Wed, 20 Oct 2004 08:15:56 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id i9KFFpAV014264; Wed, 20 Oct 2004 08:15:51 -0700 Date: Wed, 20 Oct 2004 08:15:51 -0700 From: Brooks Davis To: "Patrick D. Feighery" Message-ID: <20041020151551.GB11477@odin.ac.hmc.edu> References: <200410201419.i9KEJbY17016@smtp-bedford.mitre.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200410201419.i9KEJbY17016@smtp-bedford.mitre.org> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-ipfw@freebsd.org Subject: Re: Divert and IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 15:15:11 -0000 On Wed, Oct 20, 2004 at 10:19:30AM -0400, Patrick D. Feighery wrote: > > > I have created a transparent transport layer Performance Enhancing Proxy > (PEP) application to increase the performance of TCP applications over > satellites and other challenged environment based on the SCPS transport > layer protocol (www.scps.org). This PEP works by spoofing TCP > applications. Essentially, when the PEP see an incoming SYN, it spoofs the > connection and creates two separate transport layer connections, one to the > end system and a second with an enhanced version of TCP with parameters more > appropriate and tuned for the challenged resource. The peer PEP on the far > end of the challenged resource, terminates the enhanced TCP connection and > opens up a third TCP connection to the actual destination. Only the source > and destination IPv4 address are present in the IP packets that are sent > though the network. I have used the divert utility with great success to > pass packets to/from kernel and application space in the PEP boxes. > > > > When I ported this application to Linux, I created a version based on the > TAP interface and bridging. A side effect of this method is PEP sees all > traffic. > > > > Now I have been tasked to port this application to IPv6. What is the status > of divert for IPv6? From some postings it does not appears to be production > quality yet. If not, are there other techniques that I could use to pass > data between the kernel and application space. My initial implementation > would assume no extension headers are present. At this point we don't have IPv6 support for ipfw in the tree. I've posted patches based on work from one of Luigi's students, but they aren't complete yet (they have routing problems when using dummynet and currently IPv4 matching isn't working with them applied). These issues are fairly high on my priority list so I certaintly expect something workable within a month or so. I hope to have it MFC'd in plenty of time to have it well tested before 5.4. As an alternative for now, you might take a look at using netgraph. You could tap the interfaces and use ng_bpf to sort only the traffic you want before passing that part up via an ng_socket. -- Brooks From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 16:23:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADE6816A4CF for ; Wed, 20 Oct 2004 16:23:43 +0000 (GMT) Received: from smtp-bedford.mitre.org (smtp-bedford-x.mitre.org [192.160.51.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2531F43D3F for ; Wed, 20 Oct 2004 16:23:43 +0000 (GMT) (envelope-from feighery@mitre.org) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.11.6/8.11.6) with SMTP id i9KGNgp07334 for ; Wed, 20 Oct 2004 12:23:42 -0400 Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (Postfix) with ESMTP id 3B99FBF8B for ; Wed, 20 Oct 2004 12:23:42 -0400 (EDT) Received: from MAILHUB2 (mailhub2.mitre.org [129.83.221.18]) by smtp-bedford.mitre.org (8.11.6/8.11.6) with ESMTP id i9KGNdP07048; Wed, 20 Oct 2004 12:23:39 -0400 Message-Id: <200410201623.i9KGNdP07048@smtp-bedford.mitre.org> Received: from mm110211-pc.mitre.org (128.29.14.12) by mailhub2.mitre.org with SMTP id 5353329; Wed, 20 Oct 2004 12:23:33 -0400 From: "Patrick D. Feighery" To: "'Brooks Davis'" Date: Wed, 20 Oct 2004 12:23:32 -0400 Organization: The MITRE Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-reply-to: <20041020151551.GB11477@odin.ac.hmc.edu> Thread-index: AcS2t5uoKcWdYJ6+T4OyGcDkh2eZhgABPFBw cc: freebsd-ipfw@freebsd.org Subject: RE: Divert and IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 16:23:43 -0000 I've looked into netfilter. Unfortunately, I have not been able to find sufficient documentation or sample code to start sinking my teeth into. I've read man pages and the article in daemon news. This technique appears to have potential, however I've only found basic scripts that exercise some basic features of netfilter. Do you have some sample code I can look at on using ng_socket and ng_bpf? Many thanks for the prompt response. Pat -----Original Message----- From: Brooks Davis [mailto:brooks@one-eyed-alien.net] Sent: Wednesday, October 20, 2004 11:16 AM To: Patrick D. Feighery Cc: freebsd-ipfw@freebsd.org Subject: Re: Divert and IPv6 On Wed, Oct 20, 2004 at 10:19:30AM -0400, Patrick D. Feighery wrote: > > > I have created a transparent transport layer Performance Enhancing Proxy > (PEP) application to increase the performance of TCP applications over > satellites and other challenged environment based on the SCPS transport > layer protocol (www.scps.org). This PEP works by spoofing TCP > applications. Essentially, when the PEP see an incoming SYN, it spoofs the > connection and creates two separate transport layer connections, one to the > end system and a second with an enhanced version of TCP with parameters more > appropriate and tuned for the challenged resource. The peer PEP on the far > end of the challenged resource, terminates the enhanced TCP connection and > opens up a third TCP connection to the actual destination. Only the source > and destination IPv4 address are present in the IP packets that are sent > though the network. I have used the divert utility with great success to > pass packets to/from kernel and application space in the PEP boxes. > > > > When I ported this application to Linux, I created a version based on the > TAP interface and bridging. A side effect of this method is PEP sees all > traffic. > > > > Now I have been tasked to port this application to IPv6. What is the status > of divert for IPv6? From some postings it does not appears to be production > quality yet. If not, are there other techniques that I could use to pass > data between the kernel and application space. My initial implementation > would assume no extension headers are present. At this point we don't have IPv6 support for ipfw in the tree. I've posted patches based on work from one of Luigi's students, but they aren't complete yet (they have routing problems when using dummynet and currently IPv4 matching isn't working with them applied). These issues are fairly high on my priority list so I certaintly expect something workable within a month or so. I hope to have it MFC'd in plenty of time to have it well tested before 5.4. As an alternative for now, you might take a look at using netgraph. You could tap the interfaces and use ng_bpf to sort only the traffic you want before passing that part up via an ng_socket. -- Brooks From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 17:35:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DC2316A4CE for ; Wed, 20 Oct 2004 17:35:29 +0000 (GMT) Received: from asmtp-a063f29.pas.sa.earthlink.net (asmtp-a063f29.pas.sa.earthlink.net [207.217.120.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18FE043D45 for ; Wed, 20 Oct 2004 17:35:29 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CKKMw-0003Yf-8E for freebsd-ipfw@freebsd.org; Wed, 20 Oct 2004 10:35:28 -0700 From: Martes Wigglesworth To: ipfw-mailings Organization: Wiggtekmicro Corporation Message-Id: <1098293390.630.37.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 20 Oct 2004 20:35:10 +0300 X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48cb424147649e8ce4f67b3f855e90ca6df0dc0b2615eb44cc350badd9bab72f9c X-Originating-IP: 213.209.169.198 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw shaper bandwidth not dynamicly allocated... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 17:35:29 -0000 Greetings, all. I am having a bit of trouble with shaping, an a multi-subnet natd/packet-filter/traffic-shaper. My woes: I set the rule, just after divert, "queue 1 log all from any to ${interalnet} in recv ${outerinterface}," with the following config for the queue/pipe: "queue 1 config pipe 1 mask dst-ip 0xffffffff," and " pipe 1 config bw 256Kbit/s." The pipe limits and the dynamic queues are created per each ip on my subnet that has traffic, however, the empty pipes remain until the client is shutdown or taken off the network. Also, the bandwidth is not dynamically destributed to the hosts on the subnet(s). Meaning, when I am the only client, I get just under full bandwidth, however, when there are more then three or four users, the bandwidth drops to about 18Kbit/s. Is this normal? If I give the pipe 256Kbit/s then we get about 20Kbits/s not 256/8=32Kbit/s. Am I missing something? Also, even though my queues don't disappear, shouldn't the only queues being bandwidthed be those with traffic? Why am I not seeing dynamic usage? I thought that the pipe would only be split while there is traffic in each queue? Any help is surely appreciated, and really desirable. Respectfully. -- M.G.W. Wiggtekmicro, Corp. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 17:36:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28C2F16A4CE for ; Wed, 20 Oct 2004 17:36:16 +0000 (GMT) Received: from audiogram.mail.pas.earthlink.net (audiogram.mail.pas.earthlink.net [207.217.120.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED6D043D31 for ; Wed, 20 Oct 2004 17:36:15 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) by audiogram.mail.pas.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CKKNf-0001vK-4H for freebsd-ipfw@freebsd.org; Wed, 20 Oct 2004 10:36:16 -0700 From: Martes Wigglesworth To: ipfw-mailings Organization: Wiggtekmicro Corporation Message-Id: <1098293390.630.37.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 20 Oct 2004 20:35:55 +0300 X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48cb424147649e8ce47f3cf33c0722e83e667c3043c0873f7e350badd9bab72f9c X-Originating-IP: 213.209.169.198 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw shaper bandwidth not dynamicly allocated... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 17:36:16 -0000 Greetings, all. I am having a bit of trouble with shaping, an a multi-subnet natd/packet-filter/traffic-shaper. My woes: I set the rule, just after divert, "queue 1 log all from any to ${interalnet} in recv ${outerinterface}," with the following config for the queue/pipe: "queue 1 config pipe 1 mask dst-ip 0xffffffff," and " pipe 1 config bw 256Kbit/s." The pipe limits and the dynamic queues are created per each ip on my subnet that has traffic, however, the empty pipes remain until the client is shutdown or taken off the network. Also, the bandwidth is not dynamically destributed to the hosts on the subnet(s). Meaning, when I am the only client, I get just under full bandwidth, however, when there are more then three or four users, the bandwidth drops to about 18Kbit/s. Is this normal? If I give the pipe 256Kbit/s then we get about 20Kbits/s not 256/8=32Kbit/s. Am I missing something? Also, even though my queues don't disappear, shouldn't the only queues being bandwidthed be those with traffic? Why am I not seeing dynamic usage? I thought that the pipe would only be split while there is traffic in each queue? Any help is surely appreciated, and really desirable. Respectfully. -- M.G.W. Wiggtekmicro, Corp. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 18:31:44 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B2DE16A4CE for ; Wed, 20 Oct 2004 18:31:44 +0000 (GMT) Received: from web51909.mail.yahoo.com (web51909.mail.yahoo.com [206.190.39.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 1DA7E43D1F for ; Wed, 20 Oct 2004 18:31:44 +0000 (GMT) (envelope-from chicoman341978@yahoo.com) Message-ID: <20041020183143.65907.qmail@web51909.mail.yahoo.com> Received: from [20.137.18.50] by web51909.mail.yahoo.com via HTTP; Wed, 20 Oct 2004 11:31:43 PDT Date: Wed, 20 Oct 2004 11:31:43 -0700 (PDT) From: Chico To: freebsd-ipfw@freebsd.org In-Reply-To: <1098293390.630.37.camel@Mobile1.276NET> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: IPFW & NATD working with IPSEC X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 18:31:44 -0000 Hi everyone, I running freebsd with IPFW and NATD. I have the external int face obtaining DHCP from the cable modem. My internal network is 10.0.0.x. Everything works fine except when I try to use my work IPSEC client. It is a nortel client that fails to connect when behind the firewal. Can anyone provide detailed instruction on how to configure the firewall to allow these connections? Thanks, Chico _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 19:02:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 115A516A4CF for ; Wed, 20 Oct 2004 19:02:13 +0000 (GMT) Received: from asmtp-a063f29.pas.sa.earthlink.net (asmtp-a063f29.pas.sa.earthlink.net [207.217.120.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9C6E43D46 for ; Wed, 20 Oct 2004 19:02:12 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CKLip-00038g-Db for freebsd-ipfw@freebsd.org; Wed, 20 Oct 2004 12:02:12 -0700 From: Martes Wigglesworth To: ipfw-mailings Organization: Wiggtekmicro Corporation Message-Id: <1098298916.1973.16.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 20 Oct 2004 22:01:57 +0300 X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48cb424147649e8ce49d211849a0ca69bae925a8e63659b694350badd9bab72f9c X-Originating-IP: 213.209.169.198 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 19:02:13 -0000 I am having a bit of a time getting a rule to be recognized with and address-list in it. I have two identical natd boxes for my organization, however, I am unable to get the production machine to recognize particular rules, as illustrated below: router1(production firewall that has to be open to everything out, right now.) > sudo ipfw show 00097 8 672 deny log icmp from any to any icmptypes 8 in recv sis0 00098 80 6722 allow ip from any to any via lo0 00099 0 0 allow ip from 127.0.0.1 to 127.0.0.1 00100 23 20 allow tcp from any to any dst-port 22 setup keep-state 00101 0 0 deny log ip from any to any in recv sis0 setup 00102 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port 67,68 setup keep-state 00103 0 0 allow udp from any to any dst-port 53 via xl0,rl0 keep-state 00104 54481 5930639 deny udp from any to any dst-port 137,138,513 ***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state*** ^^ 00106 0 0 allow udp from any to any dst-port 33435-33524 keep-state 00200 473701 204681004 divert 8668 ip from any to any via sis0 65535 944012 409148687 allow ip from any to any Can anyone let me know why this is not working, because the rule is recognized on the following test firewall: gate1.276EN > sudo ipfw show 00098 76 7306 allow ip from any to any via lo0 00099 28425 3694972 divert 8668 ip from any to any via sis0 00100 3126 990373 queue 1 log ip from any to 192.168.1.0/24 in recv sis0 00150 0 0 allow ip from 127.0.0.1 to 127.0.0.1 00151 3548 290790 allow tcp from any to any dst-port 22 setup keep-state 00202 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port 67,68 setup keep-state 00203 1032 101807 allow udp from any to any dst-port 53 via fxp0 keep-state 00204 21864 2369464 deny udp from any to any dst-port 137,138,513 ****00205 2664 964612 allow tcp from 192.168.1.0/24 to any dst-port 21,25,80,110,443,995 via fxp0 setup keep-state**** ^^^ ^^^^ 00206 0 0 allow udp from any to any dst-port 33435-33524 keep-state 65535 3303 340052 allow ip from any to any As you can see by the asterisks, and the "^" the rule works on the test firewall, however, fails on the production one. I think it has to do with my use of multiple NICS, and/or address-lists in the production firewall. As always, any help is greatly appreciated. Respectfully. -- M.G.W. Wiggtekmicro, Corp. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 19:13:28 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9E4816A4CE for ; Wed, 20 Oct 2004 19:13:28 +0000 (GMT) Received: from pearl.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E531E43D2D for ; Wed, 20 Oct 2004 19:13:27 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 92831 invoked by uid 1002); 20 Oct 2004 19:15:41 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.64. Clear:RC:1(127.0.0.1):. Processed in 1.47995 secs); 20 Oct 2004 19:15:41 -0000 Received: from unknown (HELO webmail.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 20 Oct 2004 19:15:39 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by webmail.ibctech.ca with HTTP; Wed, 20 Oct 2004 15:15:40 -0400 (EDT) Message-ID: <4853.209.167.16.15.1098299740.squirrel@209.167.16.15> In-Reply-To: <1098298916.1973.16.camel@Mobile1.276NET> References: <1098298916.1973.16.camel@Mobile1.276NET> Date: Wed, 20 Oct 2004 15:15:40 -0400 (EDT) From: "Steve Bertrand" To: martes.wigglesworth@earthlink.net User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: ipfw-mailings Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 19:13:28 -0000 > I am having a bit of a time getting a rule to be recognized with and > address-list in it. I have two identical natd boxes for my > organization, however, I am unable to get the production machine to > recognize particular rules, as illustrated below: Have you tried to put it into a variable? Like so: trusted="{ 192.168.1.0/24 or 192.168.2.0/24 }" Then subsequently, change your rule as follows: > ***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any > dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state*** ... tcp from $trusted to any dst-port 21,25,80 etc This is the way I've always done it, and I've never tried it yours, so I don't have an answer to why it does not work. I've just stuck what does ;o) HTH, Steve > ^^ > 00106 0 0 allow udp from any to any dst-port 33435-33524 keep-state > 00200 473701 204681004 divert 8668 ip from any to any via sis0 > 65535 944012 409148687 allow ip from any to any > > Can anyone let me know why this is not working, because the rule is > recognized on the following test firewall: > > gate1.276EN > >> sudo ipfw show > 00098 76 7306 allow ip from any to any via lo0 > 00099 28425 3694972 divert 8668 ip from any to any via sis0 > 00100 3126 990373 queue 1 log ip from any to 192.168.1.0/24 in recv > sis0 > > 00150 0 0 allow ip from 127.0.0.1 to 127.0.0.1 > 00151 3548 290790 allow tcp from any to any dst-port 22 setup > keep-state > > 00202 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port > 67,68 setup keep-state > 00203 1032 101807 allow udp from any to any dst-port 53 via fxp0 > keep-state > > 00204 21864 2369464 deny udp from any to any dst-port 137,138,513 > > ****00205 2664 964612 allow tcp from 192.168.1.0/24 to any dst-port > 21,25,80,110,443,995 via fxp0 setup keep-state**** > ^^^ ^^^^ > 00206 0 0 allow udp from any to any dst-port 33435-33524 > keep-state > > 65535 3303 340052 allow ip from any to any > > As you can see by the asterisks, and the "^" the rule works on the > test > firewall, however, fails on the production one. I think it has to do > with my use of multiple NICS, and/or address-lists in the production > firewall. > > As always, any help is greatly appreciated. > > Respectfully. > -- > > > M.G.W. > Wiggtekmicro, Corp. > > System: > Asus M6N > Intel Dothan 1.7 > 512MB RAM > 40GB HD > 10/100/1000 NIC > Wireless b/g (not working yet) > BSD-5.2.1 > KDE-3.1.4 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 20:53:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C2FE16A4CE for ; Wed, 20 Oct 2004 20:53:35 +0000 (GMT) Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97]) by mx1.FreeBSD.org (Postfix) with SMTP id DC0E043D45 for ; Wed, 20 Oct 2004 20:53:34 +0000 (GMT) (envelope-from jon@abccom.bc.ca) Received: (qmail 26110 invoked by uid 1000); 20 Oct 2004 20:52:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Oct 2004 20:52:53 -0000 Date: Wed, 20 Oct 2004 13:52:53 -0700 (PDT) From: Jon Simola To: Martes Wigglesworth In-Reply-To: <1098298916.1973.16.camel@Mobile1.276NET> Message-ID: <20041020134034.W85129-100000@tyberius.abccom.bc.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: ipfw-mailings Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 20:53:35 -0000 On Wed, 20 Oct 2004, Martes Wigglesworth wrote: > router1(production firewall that has to be open to everything out, right > now.) > > ***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any > dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state*** > ^^ > Can anyone let me know why this is not working, because the rule is > recognized on the following test firewall: > > ****00205 2664 964612 allow tcp from 192.168.1.0/24 to any dst-port > 21,25,80,110,443,995 via fxp0 setup keep-state**** > ^^^ ^^^^ > > As you can see by the asterisks, and the "^" the rule works on the test > firewall, however, fails on the production one. I think it has to do > with my use of multiple NICS, and/or address-lists in the production > firewall. I don't see an explicit check-state rule, not that it matters much. I have on a bridge: 00900 178117 19945421 deny ip from any to any src-ip 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 layer2 00900 2008542 104971207 deny ip from any to any dst-ip 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 layer2 and on a router: 40004 13681337 1702296386 fwd 204.239.167.250,3128 tcp from x.x.166.0/24,x.x.82.0/24 to any dst-port 80 in via em2 So the address lists are working fine here (across a range of 4.x and 5.x machines) I'd suspect your nat divert rules or sysctl settings are the problem, as your production firewall has the divert rule as 200 (after the line that doesn't work) and your test box has the divert at 99 (before the working line and a queue command). Perhaps a diagram of how things are laid out as well, each box appears to have multiple NICs of different types so it would help us out a lot to help you if we had a better idea of the network layout. --- Jon Simola | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 22 07:03:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31B5B16A4CE for ; Fri, 22 Oct 2004 07:03:43 +0000 (GMT) Received: from audiogram.mail.pas.earthlink.net (audiogram.mail.pas.earthlink.net [207.217.120.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D5BD43D31 for ; Fri, 22 Oct 2004 07:03:43 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) by audiogram.mail.pas.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CKtSd-0004a9-U5; Fri, 22 Oct 2004 00:03:42 -0700 From: Martes Wigglesworth To: Jon Simola In-Reply-To: <20041020134034.W85129-100000@tyberius.abccom.bc.ca> References: <20041020134034.W85129-100000@tyberius.abccom.bc.ca> Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1098339493.1973.44.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Fri, 22 Oct 2004 10:03:28 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48e3c8f75e3e112436655ef779309190de3ae9702e2e88ebc7350badd9bab72f9c X-Originating-IP: 213.209.169.198 cc: ipfw-mailings Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 07:03:43 -0000 Do you know if it is possible to list two interfaces in this rule? I have gotten the address listing to work, however, I think that when I included the double address listing, it confuses ipfw. I would love to see an example of how to list multiple interfaces in these types of rules. Do you have any nifty sites of interest, or maybe some more clarification, to offer, for this issue? Respectfully, -- M.G.W. Wiggtekmicro, Corp. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 22 12:48:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4038C16A4CE for ; Fri, 22 Oct 2004 12:48:13 +0000 (GMT) Received: from pearl.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E40A343D49 for ; Fri, 22 Oct 2004 12:48:09 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 80060 invoked by uid 1002); 22 Oct 2004 12:50:20 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.64. Clear:RC:1(127.0.0.1):. Processed in 25.405899 secs); 22 Oct 2004 12:50:20 -0000 Received: from unknown (HELO webmail.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 22 Oct 2004 12:49:51 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by webmail.ibctech.ca with HTTP; Fri, 22 Oct 2004 08:49:51 -0400 (EDT) Message-ID: <3935.209.167.16.15.1098449391.squirrel@209.167.16.15> In-Reply-To: <1098339493.1973.44.camel@Mobile1.276NET> References: <20041020134034.W85129-100000@tyberius.abccom.bc.ca> <1098339493.1973.44.camel@Mobile1.276NET> Date: Fri, 22 Oct 2004 08:49:51 -0400 (EDT) From: "Steve Bertrand" To: martes.wigglesworth@earthlink.net User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: ipfw-mailings Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 12:48:13 -0000 > Do you know if it is possible to list two interfaces in this rule? I > have gotten the address listing to work, however, I think that when I > included the double address listing, it confuses ipfw. I would love > to > see an example of how to list multiple interfaces in these types of > rules. Do you have any nifty sites of interest, or maybe some more > clarification, to offer, for this issue? I've never listed two interfaces in one rule before...I don't know if it works or not. I would 'suspect' that only one interface for each rule applies. Easiest solution: create a single rule for each interface. Steve > > Respectfully, > -- > > > M.G.W. > Wiggtekmicro, Corp. > > System: > Asus M6N > Intel Dothan 1.7 > 512MB RAM > 40GB HD > 10/100/1000 NIC > Wireless b/g (not working yet) > BSD-5.2.1 > KDE-3.1.4 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 22 15:51:03 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 162C816A4CE for ; Fri, 22 Oct 2004 15:51:03 +0000 (GMT) Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97]) by mx1.FreeBSD.org (Postfix) with SMTP id C96BE43D55 for ; Fri, 22 Oct 2004 15:51:02 +0000 (GMT) (envelope-from jon@abccom.bc.ca) Received: (qmail 27351 invoked by uid 1000); 22 Oct 2004 15:50:19 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Oct 2004 15:50:19 -0000 Date: Fri, 22 Oct 2004 08:50:19 -0700 (PDT) From: Jon Simola To: Martes Wigglesworth In-Reply-To: <1098339493.1973.44.camel@Mobile1.276NET> Message-ID: <20041022083605.J20686-100000@tyberius.abccom.bc.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: ipfw-mailings Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 15:51:03 -0000 On Fri, 22 Oct 2004, Martes Wigglesworth wrote: > Do you know if it is possible to list two interfaces in this rule? Apparently you can stick anything after via and ipfw doesn't care: # ipfw add 37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter 37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter # ipfw add 37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic 37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic # ipfw show |grep ^37 37000 0 0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter 37001 0 0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic These rules don't match any of my traffic, even on the existing em1 interface. > I have gotten the address listing to work, however, I think that when I > included the double address listing, it confuses ipfw. I would love to > see an example of how to list multiple interfaces in these types of > rules. Well, I don't think you can list multiple interfaces unless you're matching "in recv xl0 out xmit fxp0" and via appears to just use a text string without comparing to interfaces actually existing or not. Instead of: allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state Use two seperate rules, one for each interface: allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0 setup keep-state allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via rl0 setup keep-state And you'll get past that bug (feature?). > Do you have any nifty sites of interest, or maybe some more > clarification, to offer, for this issue? I cannot clarify anything until I get a better description of what I'm looking at. Most of my ipfw expereince comes from a few years for working with it daily and some detailed examination of the code. --- Jon Simola | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 22 16:01:04 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A821816A4CE for ; Fri, 22 Oct 2004 16:01:04 +0000 (GMT) Received: from pc5.i.0x5.de (n.0x5.de [217.197.85.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6DB843D48 for ; Fri, 22 Oct 2004 16:01:02 +0000 (GMT) (envelope-from nicolas@i.0x5.de) Received: from pc5.i.0x5.de (nicolas@localhost [127.0.0.1]) by pc5.i.0x5.de (8.12.11/8.12.11) with ESMTP id i9MG107W069825 for ; Fri, 22 Oct 2004 18:01:00 +0200 (CEST) (envelope-from nicolas@pc5.i.0x5.de) Received: (from nicolas@localhost) by pc5.i.0x5.de (8.12.11/8.12.11/Submit) id i9MG108j069824 for freebsd-ipfw@freebsd.org; Fri, 22 Oct 2004 18:01:00 +0200 (CEST) (envelope-from nicolas) Date: Fri, 22 Oct 2004 18:01:00 +0200 From: Nicolas Rachinsky To: ipfw-mailings Message-ID: <20041022160100.GA69585@pc5.i.0x5.de> Mail-Followup-To: ipfw-mailings References: <1098339493.1973.44.camel@Mobile1.276NET> <20041022083605.J20686-100000@tyberius.abccom.bc.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041022083605.J20686-100000@tyberius.abccom.bc.ca> X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc User-Agent: Mutt/1.5.6i Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 16:01:04 -0000 * Jon Simola [2004-10-22 08:50 -0700]: > Well, I don't think you can list multiple interfaces unless you're > matching "in recv xl0 out xmit fxp0" and via appears to just use a text > string without comparing to interfaces actually existing or not. ${fwcmd_add} deny udp from 0.0.0.0 68 to 255.255.255.255 67 in \{ recv ${if_m} or recv ${if_g} \} resulting in deny udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 in { recv fxp0 or recv fxp1 } works fine here. Nicolas From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 22 16:26:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1375416A4CE for ; Fri, 22 Oct 2004 16:26:51 +0000 (GMT) Received: from asmtp-a063f29.pas.sa.earthlink.net (asmtp-a063f29.pas.sa.earthlink.net [207.217.120.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE58943D1F for ; Fri, 22 Oct 2004 16:26:50 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CL2Fc-0006y1-M4; Fri, 22 Oct 2004 09:26:50 -0700 From: Martes Wigglesworth To: Nicolas Rachinsky , ipfw-mailings In-Reply-To: <20041022160100.GA69585@pc5.i.0x5.de> References: <1098339493.1973.44.camel@Mobile1.276NET> <20041022083605.J20686-100000@tyberius.abccom.bc.ca> <20041022160100.GA69585@pc5.i.0x5.de> Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1098462339.602.21.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Fri, 22 Oct 2004 19:26:37 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd485f0d84f6ceefaa18281f2aa1a692eab18858d97c050d2b86350badd9bab72f9c X-Originating-IP: 213.209.169.198 Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 16:26:51 -0000 Nicolas, you are the man, that is unless you are using the unisex version of the name, in which you would be Woman. Either way, thank goodness for yours, Steve's, and Jon's input. Thankfully, -- M.G.W. Wiggtekmicro, Corp. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 22 20:57:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 280C016A4CE for ; Fri, 22 Oct 2004 20:57:42 +0000 (GMT) Received: from mail.pogozone.net (pogo02.pogozone.net [216.57.201.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF5BF43D39 for ; Fri, 22 Oct 2004 20:57:41 +0000 (GMT) (envelope-from jbarrett@amduat.net) Received: from [149.82.116.90] ([63.115.16.66]) (AUTH: LOGIN jbarrett@pogozone.net, TLS: TLSv1/SSLv3,128bits,RC4-MD5) by mail.pogozone.net with esmtp; Fri, 22 Oct 2004 13:57:41 -0700 From: "Jacob S. Barrett" To: freebsd-ipfw@freebsd.org Date: Fri, 22 Oct 2004 13:57:39 -0700 User-Agent: KMail/1.7 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200410221357.39435.jbarrett@amduat.net> Subject: Pipes, Queus and Mask X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 20:57:42 -0000 I am a little confused around the working in the man page: queue A queue is an abstraction used to implement the WF2Q+ (Worst- case Fair Weighted Fair Queueing) policy, which is an effi- cient variant of the WFQ policy. The queue associates a weight and a reference pipe to each flow, and then all backlogged (i.e., with packets queued) flows linked to the same pipe share the pipe's bandwidth pro- portionally to their weights. Note that weights are not pri- orities; a flow with a lower weight is still guaranteed to get its fraction of the bandwidth even if a flow with a higher weight is permanently backlogged. If I have a queue with a mask on src-ip. I understand that each dynamic queue will share the same weight and the same pipe. My confusion comes when I want to have dynamic pipes masked on the src-ip as well. If the queue is tied to this pipe will all dynamic queues flow into matching dynamic pipes? The reason I as this question is that when I configure this I see the dynamic queue created, but not the dynamic pipe. Also the bandwidth appears to be shared as though they are sharing the same pipe. Is it correct to say that if a masking queue is linked to a masking pipe that all flows will go through a dynamic queue and then will share the same pipe and no dynamic pipes will be created? Thanks, Jake -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 22 22:42:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22B1F16A4CE for ; Fri, 22 Oct 2004 22:42:36 +0000 (GMT) Received: from mail.pogozone.net (pogo02.pogozone.net [216.57.201.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2C4B43D58 for ; Fri, 22 Oct 2004 22:42:35 +0000 (GMT) (envelope-from jbarrett@amduat.net) Received: from [149.82.116.90] ([63.115.16.66]) (AUTH: LOGIN jbarrett@pogozone.net, TLS: TLSv1/SSLv3,128bits,RC4-MD5) by mail.pogozone.net with esmtp; Fri, 22 Oct 2004 15:42:35 -0700 From: "Jacob S. Barrett" To: freebsd-ipfw@freebsd.org Date: Fri, 22 Oct 2004 15:42:31 -0700 User-Agent: KMail/1.7 References: <200410221357.39435.jbarrett@amduat.net> In-Reply-To: <200410221357.39435.jbarrett@amduat.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200410221542.31883.jbarrett@amduat.net> Subject: Re: Pipes, Queus and Mask X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 22:42:36 -0000 On Friday 22 October 2004 01:57 pm, "Jacob S. Barrett" wrote: > I am a little confused around the working in the man page: > queue A queue is an abstraction used to implement the WF2Q+ > (Worst- case Fair Weighted Fair Queueing) policy, which is an effi- cient > variant of the WFQ policy. > The queue associates a weight and a reference pipe to each > flow, and then all backlogged (i.e., with packets queued) > flows linked to the same pipe share the pipe's bandwidth > pro- portionally to their weights. Note that weights are not pri- orities; > a flow with a lower weight is still guaranteed to get its fraction of the > bandwidth even if a flow with a higher weight is permanently backlogged. > > If I have a queue with a mask on src-ip. I understand that each dynamic > queue will share the same weight and the same pipe. My confusion comes > when I want to have dynamic pipes masked on the src-ip as well. If the > queue is tied to this pipe will all dynamic queues flow into matching > dynamic pipes? The reason I as this question is that when I configure this > I see the dynamic queue created, but not the dynamic pipe. Also the > bandwidth appears to be shared as though they are sharing the same pipe. > Is it correct to say that if a masking queue is linked to a masking pipe > that all flows will go through a dynamic queue and then will share the same > pipe and no dynamic pipes will be created? I figured I better include an example config: ipfw pipe 1 config bw 128kbps mask src-ip 0x000000ff buckets 2565 ipfw queue 1 config pipe 1 mask srp-ip 0x000000ff buckets 256 ipfw pipe 2 config bw 1500kbps mask dst-ip 0x000000ff buckets 256 ipfw queue 2 config pipe 2 mask dst-ip 0x000000ff buckets 256 ipfw add queue 1 all from any to any out via ng0 ipfw add queue 2 all from any to any in via ng0 00001: 128.000 Kbit/s 0 ms 5 sl. 0 queues (256 buckets) droptail mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000 00002: 1.500 Mbit/s 0 ms 5 sl. 0 queues (256 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000 q00001: weight 1 pipe 1 5 sl. 4 queues (256 buckets) droptail mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 143 ip 0.0.0.91/0 0.0.0.0/0 60186 6077130 0 0 10063 223 ip 0.0.0.243/0 0.0.0.0/0 227 16953 0 0 0 237 ip 0.0.0.234/0 0.0.0.0/0 549 113319 0 0 0 239 ip 0.0.0.235/0 0.0.0.0/0 16336 761792 0 0 37 q00002: weight 1 pipe 2 5 sl. 4 queues (256 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 40 ip 0.0.0.0/0 0.0.0.91/0 76970 54572437 0 0 1309 57 ip 0.0.0.0/0 0.0.0.74/0 179 12343 0 0 0 152 ip 0.0.0.0/0 0.0.0.235/0 29130 42567650 0 0 609 153 ip 0.0.0.0/0 0.0.0.234/0 922 172001 0 0 2 As you can see there are no dynamic pipes created. Is this expected behavior? -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 23 05:16:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04BEE16A4CE for ; Sat, 23 Oct 2004 05:16:43 +0000 (GMT) Received: from web51901.mail.yahoo.com (web51901.mail.yahoo.com [206.190.39.44]) by mx1.FreeBSD.org (Postfix) with SMTP id AE3EA43D1D for ; Sat, 23 Oct 2004 05:16:42 +0000 (GMT) (envelope-from chicoman341978@yahoo.com) Message-ID: <20041023051642.99194.qmail@web51901.mail.yahoo.com> Received: from [68.54.82.193] by web51901.mail.yahoo.com via HTTP; Fri, 22 Oct 2004 22:16:42 PDT Date: Fri, 22 Oct 2004 22:16:42 -0700 (PDT) From: Chico To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: IPSEC X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 05:16:43 -0000 I have sent one email out already asking for assistance with IPSEC through my IPFW firewall. Can anyone provide information on how to pass the IPSEC tunnel back to my inernal client? IPFW and NATD are working fine, just not passing the traffic. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 23 20:42:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D86A716A4CE for ; Sat, 23 Oct 2004 20:42:06 +0000 (GMT) Received: from out-2.mail.amis.net (out-2.mail.amis.net [212.18.32.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id E888043D39 for ; Sat, 23 Oct 2004 20:42:05 +0000 (GMT) (envelope-from matej.puntar@guest.arnes.si) Received: from localhost (in-2.mail.amis.net [212.18.32.19]) by out-2.mail.amis.net (Postfix) with ESMTP id 4FEC210695F for ; Sat, 23 Oct 2004 22:42:04 +0200 (CEST) Received: from in-2.mail.amis.net ([127.0.0.1]) by localhost (in-2.mail.amis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17012-02 for ; Sat, 23 Oct 2004 22:42:02 +0200 (CEST) Received: from piranha.amis.net (piranha.amis.net [212.18.32.3]) by in-2.mail.amis.net (Postfix) with ESMTP id 846E022860B for ; Sat, 23 Oct 2004 22:42:02 +0200 (CEST) Received: from [10.0.0.2] (dhcp-lj1-39.ftth.amis.net [213.157.234.39]) by piranha.amis.net (Postfix) with ESMTP id 516CFFD8C for ; Sat, 23 Oct 2004 22:42:02 +0200 (CEST) Message-ID: <417AC21F.1030905@guest.arnes.si> Date: Sat, 23 Oct 2004 22:42:07 +0200 From: Matej Puntar User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at amis.net X-Spam-Status: No, hits=-5.603 required=5 tests=ALL_TRUSTED, BAYES_00, DNS_FROM_RFC_WHOIS X-Spam-Level: Subject: advanced bandwidth limiting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 20:42:07 -0000 Hello I have a LAN with 5 computers and a FreeBSD 5.2.1 server that is also the gateway. I would like to limit the upload and download bandwidth. But I would like to limit the bandwidth depending on how many users is surfing at the moment. If only one user is surfing or downloading he would have all the bandwidth. If 3 users are surfing every one would have 1/3 of upload and download bandwidth. Is this posible with FreeBSD 5.2.1 and how? Thanks From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 23 22:11:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBF2C16A4CE for ; Sat, 23 Oct 2004 22:11:12 +0000 (GMT) Received: from starling.mail.pas.earthlink.net (starling.mail.pas.earthlink.net [207.217.120.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BBD143D1D for ; Sat, 23 Oct 2004 22:11:12 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) by starling.mail.pas.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CLU6N-0003aK-Rh; Sat, 23 Oct 2004 15:11:12 -0700 From: Martes Wigglesworth To: Matej Puntar , ipfw-mailings In-Reply-To: <417AC21F.1030905@guest.arnes.si> References: <417AC21F.1030905@guest.arnes.si> Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1098569449.602.324.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sun, 24 Oct 2004 01:10:49 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd485c2db18be96c7992231f031cbba65a2199f37241381ec17c350badd9bab72f9c X-Originating-IP: 213.209.169.198 Subject: Re: advanced bandwidth limiting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 22:11:12 -0000 The answer from all documentation that I have read, would be simply empliment a single pipe 1 of bw xKbit/s and configure dynamic pipes that use the same pipe, hence splitting up the bandwidth dynamicly. Since the queue is a copy of the first one, then all dynamic pipe have the same queue weight, and will then have an equal segment of the bandwidth of the pipe that they are attached to, in this case pipe 1. Example: ipfw add queue 1 log ip from any to ${internaldudes} in recv ${extif} ipfw queue 1 config pipe 1 mask dst-ip 0xffffffff ipfw pipe 1 config bw 256Kbit/s In the above example, any ip traffic comming into a natd box with interface ${extif} attached to the internet, and ${internaldudes} being those ips that are behind the gateway. Whenever a host connects to the box, and has traffic come to it from the internet, a dynamic queue will drain bandwidth for pipe 1. Due to this functionality, the pipe 1 bw will get devided between the pipes that are created. When there is no client, then the queue is deleted. If you have multiple subnets, like me, then and you want to specify the internal interfaces, then use the following, thanks to Nicolas, earlier today: ${fwcmd_add} deny udp from 0.0.0.0 68 to 255.255.255.255 67 in \{ recv ${if_m} or recv ${if_g} \} -- M.G.W. Wiggtekmicro, Corp. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 23 22:42:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55A7E16A4CE for ; Sat, 23 Oct 2004 22:42:36 +0000 (GMT) Received: from asmtp-a063f35.pas.sa.earthlink.net (asmtp-a063f35.pas.sa.earthlink.net [207.217.120.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C44743D1D for ; Sat, 23 Oct 2004 22:42:36 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CLUan-0006C2-A1 for freebsd-ipfw@freebsd.org; Sat, 23 Oct 2004 15:42:36 -0700 From: Martes Wigglesworth To: ipfw-mailings In-Reply-To: <1098569449.602.324.camel@Mobile1.276NET> References: <417AC21F.1030905@guest.arnes.si> <1098569449.602.324.camel@Mobile1.276NET> Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1098571334.602.327.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sun, 24 Oct 2004 01:42:14 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48dbc79806a23bd0d6cf580d37d45e3534f2c98678957fd5f6350badd9bab72f9c X-Originating-IP: 213.209.169.198 Subject: Re: advanced bandwidth limiting Correction X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 22:42:36 -0000 As all have probably figured out, I meant to say queue in the first paragraph. Sorry about that. The example illustrates what I meant to say. -- M.G.W. Wiggtekmicro, Corp. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 KDE-3.1.4