From owner-freebsd-ipfw Sun Apr 14 10: 7: 3 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from free.wgops.com (dsl092-002-178.sfo1.dsl.speakeasy.net [66.92.2.178]) by hub.freebsd.org (Postfix) with ESMTP id AFD8737B404 for ; Sun, 14 Apr 2002 10:07:00 -0700 (PDT) Received: from wgops.com (zop12@[10.1.2.207]) by free.wgops.com (8.11.3/8.11.3) with ESMTP id g3EH6pR02511; Sun, 14 Apr 2002 10:06:52 -0700 (PDT) (envelope-from mloftis@wgops.com) Message-ID: <3CB9B72B.7020908@wgops.com> Date: Sun, 14 Apr 2002 10:06:51 -0700 From: Michael Loftis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Giannis Nikopoulos Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Load balancing with NATD References: <200204071726.UAA12257@pontus.cs.uoi.gr> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG natd won't be doing what you want..... Not quite anyway, but what you might want to do is take the natd source, modify it to do your bidding (IE cahnge the round-robin alogrithm that it currently supports) and then run it that way. It shouldn't be too difficult. Someone also mentioned in another thread called (I think) dcpd or similar, basically a divert(4) framework program to which you can plug in your own code to do the dirty. Best luck Giannis Nikopoulos wrote: >Hello everybody !!! > >I 'm just a new member of both the FreeBSD world and this list >so I hope you will bare with my ignorance. > >This is the problem: > >I have a FreeBSD 4.5 running as a router between the outer world and >a private network (192.168.0.0) of 3 servers. I use natd to handle >traffic between the outer world and the PN. My goal (as part of a simple >university course project) is to perform load balancing among the 3 >back-end servers. I 've written down a load balancing algorithm, that >uses reporting agents running on the 3 servers and reporting their load >on a central coordinator running on the FreeBSD router. The question is: > >How can I use natd (or maybe another tool, say ipfw or some proxy, I don't >know) in order to dynamically dispatch (redirect) incoming connections >among the 3 back-end servers. As far as I can tell, natd performs redirection >(along with address translation) but in a static way (correct me if I 'm >wrong, I 've already explained I 'm new to this stuff). > >Is there any I way I can instruct natd to selectively choose to which server >it will redirect a connection by applying a set of rules or I will have to >hack into natd's source code. > >I don't know if I should have provided more feedback on this case but or be >a little more specific. Can anyone help ? > >Thanx in advance > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Apr 14 18: 5:27 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by hub.freebsd.org (Postfix) with SMTP id E0C6937B416 for ; Sun, 14 Apr 2002 18:05:19 -0700 (PDT) Received: (qmail 99732 invoked by uid 1005); 15 Apr 2002 01:05:11 -0000 Received: from misho@interbgc.com by keeper.interbgc.com with qmail-scanner-1.01 (uvscan: v4.0.50/v4194. . Clean. Processed in 8.931339 secs); 15 Apr 2002 01:05:11 -0000 Received: from unknown (HELO misho) (217.9.226.238) by mail.interbgc.com with SMTP; 15 Apr 2002 01:05:00 -0000 Message-ID: <003401c1e419$70e73340$eee209d9@interbgc.com> Reply-To: "Mihail Balikov" From: "Mihail Balikov" To: Subject: dummynet and ip.fw.one_pass Date: Mon, 15 Apr 2002 04:04:06 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, is it correct to use such configuration : sysctl -w net.inet.ip.fw.one_pass=0 # process only outgoing packets ipfw add 10 allow all from any to any in # shape whole network to 1Mb/s ipfw add 15 pipe 15 all from any to 1.2.3.0/24 ipfw pipe 15 config bw 1Mbit/s # shape every host to 64Kb/s ipfw add 20 pipe 20 all from any to 1.2.3.0/24 ipfw pipe 20 config mask dst-ip 0x000000ff bw 64Kbit/s # transmit packet ipfw add 30 allow all from any to any regards, Mihail To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Apr 14 22:11:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 0701737B416 for ; Sun, 14 Apr 2002 22:11:13 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g3F5B5822012; Sun, 14 Apr 2002 22:11:05 -0700 (PDT) (envelope-from rizzo) Date: Sun, 14 Apr 2002 22:11:05 -0700 From: Luigi Rizzo To: Mihail Balikov Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: dummynet and ip.fw.one_pass Message-ID: <20020414221105.B21946@iguana.icir.org> References: <003401c1e419$70e73340$eee209d9@interbgc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <003401c1e419$70e73340$eee209d9@interbgc.com> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG the code seems correct, but I would do the shaping in the opposite order so that a single host won't be able to monopolise the 1Mbit that you allow for the network. Secondly, this seems to be a good use for fair queueing, where you want equal sharing of the 1Mbit/s bandwidth: ipfw pipe 1 config bw 1Mbit/s ipfw queue 2 config pipe 1 weight 1 mask dst-ip 0x000000ff ipfw add queue 2 ip from any to 1.2.3.0/24 (you do not need fw_one_pass=0 in this case) cheers luigi On Mon, Apr 15, 2002 at 04:04:06AM +0300, Mihail Balikov wrote: > Hi, > > is it correct to use such configuration : > > sysctl -w net.inet.ip.fw.one_pass=0 > > # process only outgoing packets > ipfw add 10 allow all from any to any in > # shape whole network to 1Mb/s > ipfw add 15 pipe 15 all from any to 1.2.3.0/24 > ipfw pipe 15 config bw 1Mbit/s > # shape every host to 64Kb/s > ipfw add 20 pipe 20 all from any to 1.2.3.0/24 > ipfw pipe 20 config mask dst-ip 0x000000ff bw 64Kbit/s > # transmit packet > ipfw add 30 allow all from any to any > > regards, > Mihail > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 15 1: 2:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (f99.law8.hotmail.com [216.33.241.99]) by hub.freebsd.org (Postfix) with ESMTP id DF9AA37B404 for ; Mon, 15 Apr 2002 01:02:11 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Apr 2002 01:02:11 -0700 Received: from 62.22.84.43 by lw8fd.law8.hotmail.msn.com with HTTP; Mon, 15 Apr 2002 08:02:11 GMT X-Originating-IP: [62.22.84.43] From: "John Massier" To: freebsd-ipfw@FreeBSD.ORG Subject: Error in booting, please! Date: Mon, 15 Apr 2002 10:02:11 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: X-OriginalArrivalTime: 15 Apr 2002 08:02:11.0869 (UTC) FILETIME=[D9175CD0:01C1E453] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi everyone, Iīve got an odd problem when booting with a firewall_type="filename". In the file( /etc/ipfw.rules ) I add the next rules: add 00100 allow ip from any to any via lo0 add 00200 deny ip from any to 127.0.0.0/8 add 00300 deny ip from 127.0.0.0/8 to any add 01002 deny hmp from 1.1.1.1 to 5.4.4.4 add 10000 allow tcp from 2.2.2.2 to 3.3.3.3 add 23232 allow i-nlsp from 67.67.67.67 to 3.3.3.3 add 56565 prob 0.400000 allow log logamount 12000 tcp from not 122.23.2.5:123.23.23.23 3456,8765,1511,1469 to 4.2.2.0/23 123,5678,68,2016,998 uid uucp gid man keep-state 1234 bridged in recv ppp0 ipopt ssrr,lsrr tcpflags syn,ack tcpoptions mss,window add 65000 allow ip from any to any add 65535 deny ip from any to any The problem is in rule 56565. When booting i get the following message: ipfw:Line 7: too many arguments and the remaining rules arenīt added. The rule 56565 is in the file excusively to test if ipfw fails, and thatīs exactly what has happen. Any idea please? Thanks in advance. Best regards. _________________________________________________________________ Descargue GRATUITAMENTE MSN Explorer en http://explorer.yupimsn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 15 2: 4:57 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by hub.freebsd.org (Postfix) with SMTP id 7E1D837B404 for ; Mon, 15 Apr 2002 02:04:42 -0700 (PDT) Received: (qmail 71851 invoked by uid 1005); 15 Apr 2002 09:04:36 -0000 Received: from misho@interbgc.com by keeper.interbgc.com with qmail-scanner-1.01 (uvscan: v4.0.50/v4196. . Clean. Processed in 1.239902 secs); 15 Apr 2002 09:04:36 -0000 Received: from unknown (HELO misho) (217.9.226.238) by mail.interbgc.com with SMTP; 15 Apr 2002 09:04:34 -0000 Message-ID: <000901c1e45c$6f89a3a0$eee209d9@interbgc.com> Reply-To: "Mihail Balikov" From: "Mihail Balikov" To: "Luigi Rizzo" Cc: References: <003401c1e419$70e73340$eee209d9@interbgc.com> <20020414221105.B21946@iguana.icir.org> Subject: Re: dummynet and ip.fw.one_pass Date: Mon, 15 Apr 2002 12:03:40 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG in configuration: ipfw pipe 1 config bw 1Mbit/s ipfw queue 2 config pipe 1 weight 1 mask dst-ip 0x000000ff ipfw add queue 2 ip from any to 1.2.3.0/24 ipfw pipe 3 config bw 64Kbit/s burst 128Kbit/s mask dst-ip 0x000000ff ipfw add 3 pipe 3 ip from any to 1.2.3.0/24 is it correct following logic: if ( (packet & M_DUMMYNET) && /* packet has passed through pipe ==> pipe 2 */ ! (packet & M_DUMMYNET_DELAIED)) /* packet has not been delaied by pipe 2 */ { allow_burst_upto(128Kbit/s); } else { exact_shape(64Kbit/s); } regards, Mihail ----- Original Message ----- From: "Luigi Rizzo" To: "Mihail Balikov" Cc: Sent: Monday, April 15, 2002 8:11 AM Subject: Re: dummynet and ip.fw.one_pass > the code seems correct, but I would do the shaping in the opposite > order so that a single host won't be able to monopolise the 1Mbit > that you allow for the network. > > Secondly, this seems to be a good use for fair queueing, where > you want equal sharing of the 1Mbit/s bandwidth: > > ipfw pipe 1 config bw 1Mbit/s > ipfw queue 2 config pipe 1 weight 1 mask dst-ip 0x000000ff > > ipfw add queue 2 ip from any to 1.2.3.0/24 > > (you do not need fw_one_pass=0 in this case) > > cheers > luigi > > On Mon, Apr 15, 2002 at 04:04:06AM +0300, Mihail Balikov wrote: > > Hi, > > > > is it correct to use such configuration : > > > > sysctl -w net.inet.ip.fw.one_pass=0 > > > > # process only outgoing packets > > ipfw add 10 allow all from any to any in > > # shape whole network to 1Mb/s > > ipfw add 15 pipe 15 all from any to 1.2.3.0/24 > > ipfw pipe 15 config bw 1Mbit/s > > # shape every host to 64Kb/s > > ipfw add 20 pipe 20 all from any to 1.2.3.0/24 > > ipfw pipe 20 config mask dst-ip 0x000000ff bw 64Kbit/s > > # transmit packet > > ipfw add 30 allow all from any to any > > > > regards, > > Mihail > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 15 3:24:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id D96C137B404 for ; Mon, 15 Apr 2002 03:24:45 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g3FAOWi24210; Mon, 15 Apr 2002 03:24:32 -0700 (PDT) (envelope-from rizzo) Date: Mon, 15 Apr 2002 03:24:32 -0700 From: Luigi Rizzo To: Mihail Balikov Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: dummynet and ip.fw.one_pass Message-ID: <20020415032432.A24198@iguana.icir.org> References: <003401c1e419$70e73340$eee209d9@interbgc.com> <20020414221105.B21946@iguana.icir.org> <000901c1e45c$6f89a3a0$eee209d9@interbgc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000901c1e45c$6f89a3a0$eee209d9@interbgc.com> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG i do not follow your reasoning -- there is no "burst" parameter in the pipe configuration. cheers luigi On Mon, Apr 15, 2002 at 12:03:40PM +0300, Mihail Balikov wrote: > in configuration: > > ipfw pipe 1 config bw 1Mbit/s > ipfw queue 2 config pipe 1 weight 1 mask dst-ip 0x000000ff > ipfw add queue 2 ip from any to 1.2.3.0/24 > ipfw pipe 3 config bw 64Kbit/s burst 128Kbit/s mask dst-ip 0x000000ff > ipfw add 3 pipe 3 ip from any to 1.2.3.0/24 > > is it correct following logic: > > if ( (packet & M_DUMMYNET) && /* packet has passed through > pipe ==> pipe 2 */ > ! (packet & M_DUMMYNET_DELAIED)) /* packet has not been delaied by pipe > 2 */ > { > allow_burst_upto(128Kbit/s); > } else { > exact_shape(64Kbit/s); > } > > regards, > Mihail > > > > ----- Original Message ----- > From: "Luigi Rizzo" > To: "Mihail Balikov" > Cc: > Sent: Monday, April 15, 2002 8:11 AM > Subject: Re: dummynet and ip.fw.one_pass > > > > the code seems correct, but I would do the shaping in the opposite > > order so that a single host won't be able to monopolise the 1Mbit > > that you allow for the network. > > > > Secondly, this seems to be a good use for fair queueing, where > > you want equal sharing of the 1Mbit/s bandwidth: > > > > ipfw pipe 1 config bw 1Mbit/s > > ipfw queue 2 config pipe 1 weight 1 mask dst-ip 0x000000ff > > > > ipfw add queue 2 ip from any to 1.2.3.0/24 > > > > (you do not need fw_one_pass=0 in this case) > > > > cheers > > luigi > > > > On Mon, Apr 15, 2002 at 04:04:06AM +0300, Mihail Balikov wrote: > > > Hi, > > > > > > is it correct to use such configuration : > > > > > > sysctl -w net.inet.ip.fw.one_pass=0 > > > > > > # process only outgoing packets > > > ipfw add 10 allow all from any to any in > > > # shape whole network to 1Mb/s > > > ipfw add 15 pipe 15 all from any to 1.2.3.0/24 > > > ipfw pipe 15 config bw 1Mbit/s > > > # shape every host to 64Kb/s > > > ipfw add 20 pipe 20 all from any to 1.2.3.0/24 > > > ipfw pipe 20 config mask dst-ip 0x000000ff bw 64Kbit/s > > > # transmit packet > > > ipfw add 30 allow all from any to any > > > > > > regards, > > > Mihail > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 16 8: 4:43 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from cluster2.tfb.com (cluster2.tfb.com [204.212.132.102]) by hub.freebsd.org (Postfix) with ESMTP id 8F99E37B405 for ; Tue, 16 Apr 2002 08:04:38 -0700 (PDT) Received: from localhost (webmail.tfb.com [204.212.132.29]) by cluster2.tfb.com (8.11.0/8.11.0) with SMTP id g3GF4aZ08740 for ; Tue, 16 Apr 2002 08:04:36 -0700 Message-Id: <200204161504.g3GF4aZ08740@cluster2.tfb.com> Date: Tue, 16 Apr 2002 08:05:07 -0700 From: saign To: freebsd-ipfw@freebsd.org Subject: X-Mailer: ICE Web Mail 1.40.270 X-Originating-IP: 63.210.176.210 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG After reading the man page for dummynet, I\'m confused! xeon# ipfw pipe 1 config bw 384Kbit/s xeon# ipfw pipe 2 config bw 384Kbit/s xeon# ipfw add pipe 1 ip from 192.168.1.19 to any out 00400 pipe 1 ip from 192.168.1.19 to any out xeon# ipfw add pipe 2 ip from any to 192.168.1.19 in 00450 pipe 2 ip from any to 192.168.1.19 in xeon# ipfw show 00050 827195 473961009 divert 8668 ip from any to any via fxp0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 pipe 1 ip from 192.168.1.19 to any out 00450 4283 4567749 pipe 2 ip from any to 192.168.1.19 in 65000 1732420 1009118949 allow ip from any to any 65535 0 0 deny ip from any to any xeon# ipfw pipe list 00001: 384.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 384.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 System is a router/dhcpd box. fxp0 is inet, fxp1 is internal Shouldn\'t the above \"cap\" both directions @ 384? It appears to only cap download, but not upload. -Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 16 8:28:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id B3D5B37B405 for ; Tue, 16 Apr 2002 08:28:06 -0700 (PDT) Received: (qmail 4206 invoked from network); 16 Apr 2002 15:28:06 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 16 Apr 2002 15:28:06 -0000 Message-ID: <3CBC4306.2070009@tenebras.com> Date: Tue, 16 Apr 2002 08:28:06 -0700 From: Michael Sierchio Reply-To: kudzu@tenebras.com User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020404 X-Accept-Language: en-us, en MIME-Version: 1.0 To: saign Cc: freebsd-ipfw@freebsd.org Subject: Re: References: <200204161504.g3GF4aZ08740@cluster2.tfb.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG saign wrote: > After reading the man page for dummynet, I\'m confused! > > xeon# ipfw pipe 1 config bw 384Kbit/s > xeon# ipfw pipe 2 config bw 384Kbit/s > xeon# ipfw add pipe 1 ip from 192.168.1.19 to any out > 00400 pipe 1 ip from 192.168.1.19 to any out > xeon# ipfw add pipe 2 ip from any to 192.168.1.19 in > 00450 pipe 2 ip from any to 192.168.1.19 in > > xeon# ipfw show > 00050 827195 473961009 divert 8668 ip from any to any via fxp0 > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 pipe 1 ip from 192.168.1.19 to any out > 00450 4283 4567749 pipe 2 ip from any to 192.168.1.19 in Two points: 1) it's helpful to specify an interface, since all packets headed for 192.168.1.19 are seen both inbound and outbound 2) if by the second pipe rule you intend to limit outbound (upstream) traffic, remember that after being passed through natd, the address will not match 192.168.1.19 Let's suppose that ${oif} is the "outside" interface, and ${iif} is the inside interface. I believe you want (caveat: caffeine deficient) ipfw add pipe 1 from 192.168.1.19 to any in recv ${iif} ipfw add pipe 2 from any to 192.168.1.18 out xmit ${iif} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 16 8:30:58 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id BDC0537B419 for ; Tue, 16 Apr 2002 08:30:55 -0700 (PDT) Received: (qmail 4232 invoked from network); 16 Apr 2002 15:30:55 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 16 Apr 2002 15:30:55 -0000 Message-ID: <3CBC43AF.4070403@tenebras.com> Date: Tue, 16 Apr 2002 08:30:55 -0700 From: Michael Sierchio Reply-To: kudzu@tenebras.com User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020404 X-Accept-Language: en-us, en MIME-Version: 1.0 To: kudzu@tenebras.com Cc: saign , freebsd-ipfw@freebsd.org Subject: Re: References: <200204161504.g3GF4aZ08740@cluster2.tfb.com> <3CBC4306.2070009@tenebras.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Michael Sierchio wrote: >> 00400 0 0 pipe 1 ip from 192.168.1.19 to any out >> 00450 4283 4567749 pipe 2 ip from any to 192.168.1.19 in > 2) if by the second pipe rule you intend to limit outbound (upstream) ^second^first^ (I said I was caffeine deficient) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 16 8:51:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from opensrs.saignon.net (211.saignon.net [63.210.176.211]) by hub.freebsd.org (Postfix) with ESMTP id A046037B405 for ; Tue, 16 Apr 2002 08:51:15 -0700 (PDT) Received: from frankenmobl (opensrs.saignon.net [63.210.176.211]) by opensrs.saignon.net (8.11.6/8.11.3) with ESMTP id g3G5uUj16069 for ; Mon, 15 Apr 2002 22:56:30 -0700 (PDT) (envelope-from tony@saign.com) From: "Tony Saign" To: Subject: Limiting bw w/ dummynet question. Date: Mon, 15 Apr 2002 22:55:32 -0700 Message-ID: <000001c1e50b$521826c0$1401a8c0@frankenmobl> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG After reading the man page for dummynet, I'm confused! xeon# ipfw pipe 1 config bw 384Kbit/s xeon# ipfw pipe 2 config bw 384Kbit/s xeon# ipfw add pipe 1 ip from 192.168.1.19 to any out 00400 pipe 1 ip from 192.168.1.19 to any out xeon# ipfw add pipe 2 ip from any to 192.168.1.19 in 00450 pipe 2 ip from any to 192.168.1.19 in xeon# ipfw show 00050 827195 473961009 divert 8668 ip from any to any via fxp0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 pipe 1 ip from 192.168.1.19 to any out 00450 4283 4567749 pipe 2 ip from any to 192.168.1.19 in 65000 1732420 1009118949 allow ip from any to any 65535 0 0 deny ip from any to any xeon# ipfw pipe list 00001: 384.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 384.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 System is a router/dhcpd box. fxp0 is inet, fxp1 is internal Shouldn't the above "cap" both directions @ 384? It appears to only cap download, but not upload. -Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 16 11:10:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 2C8E337B400 for ; Tue, 16 Apr 2002 11:10:42 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g3GIAQL39113; Tue, 16 Apr 2002 11:10:26 -0700 (PDT) (envelope-from rizzo) Date: Tue, 16 Apr 2002 11:10:26 -0700 From: Luigi Rizzo To: Tony Saign Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Limiting bw w/ dummynet question. Message-ID: <20020416111026.A39063@iguana.icir.org> References: <000001c1e50b$521826c0$1401a8c0@frankenmobl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000001c1e50b$521826c0$1401a8c0@frankenmobl> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG likely the problem is that the "divert" rule changes the source address of your packets to the one of the router box, so rule 400 will never match. Rule 450 does match because packets on the way in are translated again to the original address (now destination). So you either put the address of the router box in rule 400 or (slightly trickier) use net.inet.ip.fw.one_pass=0 and put the 'pipe 1' rule before rule 50 (and add an 'allow ip from any 192.168.1.19 in' rule after rule 450). cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- On Mon, Apr 15, 2002 at 10:55:32PM -0700, Tony Saign wrote: > After reading the man page for dummynet, I'm confused! > > xeon# ipfw pipe 1 config bw 384Kbit/s > xeon# ipfw pipe 2 config bw 384Kbit/s > xeon# ipfw add pipe 1 ip from 192.168.1.19 to any out > 00400 pipe 1 ip from 192.168.1.19 to any out > xeon# ipfw add pipe 2 ip from any to 192.168.1.19 in > 00450 pipe 2 ip from any to 192.168.1.19 in > > xeon# ipfw show > 00050 827195 473961009 divert 8668 ip from any to any via fxp0 > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 pipe 1 ip from 192.168.1.19 to any out > 00450 4283 4567749 pipe 2 ip from any to 192.168.1.19 in > 65000 1732420 1009118949 allow ip from any to any > 65535 0 0 deny ip from any to any > > xeon# ipfw pipe list > 00001: 384.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00002: 384.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > System is a router/dhcpd box. fxp0 is inet, fxp1 is internal > > Shouldn't the above "cap" both directions @ 384? > It appears to only cap download, but not upload. > > -Tony > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 16 11:24:38 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (dav35.sea1.hotmail.com [207.68.162.92]) by hub.freebsd.org (Postfix) with ESMTP id DCAB237B405 for ; Tue, 16 Apr 2002 11:24:23 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Apr 2002 11:24:23 -0700 X-Originating-IP: [216.175.103.102] User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Tue, 16 Apr 2002 11:22:54 -0700 Subject: Strange gateway issues From: James O'Rourke To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-OriginalArrivalTime: 16 Apr 2002 18:24:23.0556 (UTC) FILETIME=[EEEC7C40:01C1E573] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I'm using a freebsd box as a gateway for an internal network. Configuration is like so: <---Internet ---->x.x.x.x (dynamic) FreeBSD 192.168.0.1 <------ LAN ------> ------> ------> My problem is when I connect to certain sites from inside the lan I get now reponse. My.yahoo.com is an example. After doing some packet sniffing, I notice that everything is as normal on making a connection with SYN, SYN ACK, ACK, ACK PSH all going through. When I make the GET request I get no response from my.yahoo.com for some reason. However, this does not occur when connecting from the gateway box. I thought this may have something to do with cookies however that doesn't make sense to me. I'm using natd & ipfw and they are correctly configured from what I can see. It can't be a firewall problem or else surely I wouldn't be able to receive on the gateway box. The packets are exactly the same coming from inside the LAN as from the gateway box until I send the GET package - I receive nothing back. The other thing is that sometimes the my.yahoo.com will work but then I can't access the links from my page. This one really has got me beat - well almost. Any suggestions. (copy of firewall script and natd.conf below: ---------------------------------- rc.firewall.current #!/bin/sh # Originally found at http://www.bsdtoday.com/2000/December/Features359.html # By Peter Brezny # Modifications done to support dynamic IP and default OS X configuration # Available at: http://www3.sympatico.ca/dccote/firewall.html # # Simple stateful network firewall rules for IPFW with NAT v. 1.01 # See bottom of file for instructions and description of rules # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great # deal of help from freebsd-security@freebsd.org). Specific questions # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or # more general security questions to freebsd-security@freebsd.org. # Use this script at your own risk. # # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet # calculator can help you. /usr/ports/net/ipsc-0.4.2 # ########################### # Note: This does not apply to Mac OS X # # Brief Installation instructions # # Name this script /etc/rc.firewall.current # Edit /etc/rc.conf to include # gateway_enable="YES" # firewall_enable="YES" # firewall_script="/etc/rc.firewall.current" # natd_enable="YES" # natd_interface="***" #replace with your external ifX # natd_flags="-dynamic" # Make sure your kernel is configured to handle ipfw and natd # See the FreeBSD handbook on how to do this. # ############################ # Make sure logging is enabled (disabled by default) if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then /usr/sbin/sysctl -w net.inet.ip.fw.verbose=1 fi # # Define your variables # # fwcmd="/sbin/ipfw" # leave as is if using ipfw oif="ppp0" # set to outside interface name (for DSL pppoe0 in 10.0.x, ppp0 in 10.1.x) # set following line to outside ip address # or leave as is for dynamic IP address) oip=`/sbin/ifconfig $oif| grep inet | awk '{ print $2 }'`; onwr="$oip/8" #set to outside network range iif="en1" #set to internal interface name inwr="192.168.0.0/16" #set to internal network range iip="192.168.0.1" #set to internal ip address mail="207.69.200.246" # mail server sometimes requires 113 ns1=207.69.188.185 #set to primary name server best if = oif ns2=207.69.188.186 #set to primary name server best if = oif ntp=17.254.0.27 #set to ip of NTP server or leave as is ntp1=17.254.0.31 #set to ip of NTP server or leave as is ntp2=17.254.0.26 #set to ip of NTP server or leave as is ### # Rules with descriptions # # Basic rules: there is no need to modify anything in this first section. # This is the bare minimum to block simple spoofing. ### # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). # (Seems to be necessary to put it here to make sure lookups are allowed ASAP) # $fwcmd add allow udp from any 53 to $ns1 53 via $oif (Good with dynamic rules) # $fwcmd add allow udp from any 53 to $ns2 53 via $oif (Good with dynamic rules) $fwcmd add allow udp from any 53 to $oip via $oif $fwcmd add allow udp from $oip to any 53 via $oif # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # Stop from gnutella - out of hand $fwcmd add deny log tcp from any to $oip 6346 # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif # ### # User rules: Some of the rules below are dependent on your configuration. # They might require some adjustments. They are emphasized with the # word "ADJUST". ### # ADJUST: If you use NATD (for your 192.168.0.1 interface for instance) # you must uncomment the following: # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # # ADJUST: Allow incoming requests to reach the various services. # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup # If you have an internal interface (e.g. if you do not run NATd) # uncomment the second line to enable AppleTalk on it. # $fwcmd add allow tcp from any to $oip 22 setup $fwcmd add allow tcp from any to $oip 21,22,80,548 setup # $fwcmd add allow tcp from any to $iip 548 setup via $oif # # NOTE: you may have to change your client to passive or active mode # to get ftp to work once enabled, only ssh, ftp and appletalk enabled by default. # 21:ftp enabled by default # 22:ssh enabled by default # 23:telnet # 25:smtp # 110:pop # 143:imap # 80:http # 443:ssl # 548:appleshare enabled by default # # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # # Allow time update traffic $fwcmd add allow udp from $ntp to $oip $fwcmd add allow udp from $ntp1 to $oip $fwcmd add allow udp from $ntp2 to $oip # Politely and quickly rejects AUTH requests (e.g. email and ftp) $fwcmd add reset tcp from $mail to $oip 113 # # Checks packets against dynamic rule set below. # $fwcmd add check-state (Does not work in OS X) # # Allow any traffic from firewall ip to any going out the # external interface # $fwcmd add allow ip from $oip to any keep-state out via $oif (Does not work in OS X) $fwcmd add allow ip from $oip to any out via $oif # # Allow any traffic from local network to any passing through the # internal interface # $fwcmd add allow ip from $inwr to any keep-state via $iif (Does not work in OS X) $fwcmd add allow ip from $inwr to any via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. --------------------- natd.conf interface ppp0 dynamic yes use_sockets yes same_ports yes ---------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 16 11:39:47 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail2.dbitech.ca (radius.wavefire.com [139.142.95.252]) by hub.freebsd.org (Postfix) with SMTP id 414A637B404 for ; Tue, 16 Apr 2002 11:39:44 -0700 (PDT) Received: (qmail 21353 invoked from network); 16 Apr 2002 18:58:05 -0000 Received: from ccliii.caniserv.com (HELO dbitech) (139.142.95.253) by radius.wavefire.com with SMTP; 16 Apr 2002 18:58:05 -0000 Message-Id: <3.0.32.20020416113942.03d7ec80@mail.ok-connect.com> X-Sender: darcyb@mail.ok-connect.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 16 Apr 2002 11:39:42 -0700 To: freebsd-ipfw@FreeBSD.ORG From: Darcy Buskermolen Subject: A posible usefull tool Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This may be a bit off topic however I though I'd forward it to the list as that it could be a good addition if we wanted to get more IPFW in production. A friend of mine recently ran across a good GUI tool for building iptables, ipfilter and OpenBSD's PF rule sets. and after taking a quick and dirty look at it I think this could be very useful to add a IPFW module to it. The tool is called fwbuilder available from www.fwbuilder.org I lake the C++ coding experience to be of any use to developing such an interface, but thought I's pass it along to the list in case there are any takers. Or even if someone happens to know a good ipfilter -> ipfw conversion tool that could be used to "get here from there". \\DB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 16 12:54:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by hub.freebsd.org (Postfix) with ESMTP id D03BA37B400 for ; Tue, 16 Apr 2002 12:54:37 -0700 (PDT) Received: (from smmsp@localhost) by gate.killian.com (8.11.6/8.11.6) id g3GJsWc04611 for ; Tue, 16 Apr 2002 12:54:32 -0700 (PDT) (envelope-from earl@killian.com) Date: Tue, 16 Apr 2002 12:54:32 -0700 (PDT) Message-Id: <200204161954.g3GJsWc04611@gate.killian.com> X-Authentication-Warning: gate.killian.com: smmsp set sender to using -f Received: from sax.killian.com(199.165.155.18) via SMTP by gate.killian.com, id smtpdHIzO4G; Tue Apr 16 12:54:23 2002 From: "Earl A. Killian" To: freebsd-ipfw@freebsd.org Subject: question about the FreeBSD 4.5-RELEASE simple entry in rc.firewall Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At the end, for reference, I've reproduced the rules you get from 4.5-RELEASE rc.firewall with firewall_type="simple" and natd_enable="YES", and with some comments simplified. I tried this firewall, and I was not able to talk to my gateway machine from the hosts on the inside. Looking at the rules below, I see only one rule that is specific to iif, and that is just to prevent the inside from pretending to be outside. Most of the rules are via oif, or to oip and so don't apply to an inside machine talking to iip via iif. If I eliminate those rules, I'm left with: Rules that apply to inet:imask talking to iip via iif: deny all from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any deny all from ${onet}:${omask} to any in via ${iif} pass tcp from any to any established pass all from any to any frag pass tcp from any to any setup So what about icmp and udp? Do other sites really use this fw and just not ping or dns/ntp to their gateway from inside? Shouldn't the following be added after the stop-spoofing rules or something?: # Allow internal hosts complete access allow all from ${inet}:${imask} to ${iip} in recv ${iif} allow all from ${iip} to ${inet}:${imask} out xmit ${iif} I also notice there are no rules for icmp at all. Shouldn't there be a # Allow pings out in the world pass icmp from ${oip} to any keep-state down with the dns/ntp rules? For reference, rc.firewall with firewall_type="simple" and natd_enable="YES": # Localhost interface 100 pass all from any to any via lo0 200 deny all from any to 127.0.0.0/8 300 deny ip from 127.0.0.0/8 to any # Stop spoofing deny all from ${inet}:${imask} to any in via ${oif} deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface deny all from any to 10.0.0.0/8 via ${oif} deny all from any to 172.16.0.0/12 via ${oif} deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt nets on the outside interface deny all from any to 0.0.0.0/8 via ${oif} deny all from any to 169.254.0.0/16 via ${oif} deny all from any to 192.0.2.0/24 via ${oif} deny all from any to 224.0.0.0/4 via ${oif} deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface deny all from 10.0.0.0/8 to any via ${oif} deny all from 172.16.0.0/12 to any via ${oif} deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt nets on the outside interface deny all from 0.0.0.0/8 to any via ${oif} deny all from 169.254.0.0/16 to any via ${oif} deny all from 192.0.2.0/24 to any via ${oif} deny all from 224.0.0.0/4 to any via ${oif} deny all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeeded pass tcp from any to any established # Allow IP fragments to pass through pass all from any to any frag # Allow setup of incoming email pass tcp from any to ${oip} 25 setup # Allow access to our DNS pass tcp from any to ${oip} 53 setup pass udp from any to ${oip} 53 pass udp from ${oip} 53 to any # Allow access to our WWW pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection pass tcp from any to any setup # Allow DNS queries out in the world pass udp from ${oip} to any 53 keep-state # Allow NTP queries out in the world pass udp from ${oip} to any 123 keep-state To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 17 4: 0:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from uwa.unitedway.org (msmail.unitedway.org [208.253.57.6]) by hub.freebsd.org (Postfix) with ESMTP id E531C37B400 for ; Wed, 17 Apr 2002 04:00:52 -0700 (PDT) Received: by msmail.unitedway.org with Internet Mail Service (5.5.2653.19) id <26HX7D2K>; Wed, 17 Apr 2002 07:00:52 -0400 Message-ID: <4353ECE13C553F46B95EA6A1EFC82BEF0F1302@msmail.unitedway.org> From: "Dang.Johnny" To: 'Darcy Buskermolen' , freebsd-ipfw@FreeBSD.ORG Subject: RE: A posible usefull tool Date: Wed, 17 Apr 2002 07:00:50 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Have you hear of qtfw? It is a GUI for the IPFW... It looks good, except when you install it: let's assume you have a new born boy at the same time at you CD to /usr/ports/net/qtfw and issue the command make install. The boy grows up, finish elementary school, then middle school, and then graduate from HS, the installation is still going... :-) -----Original Message----- From: Darcy Buskermolen [mailto:darcy@wavefire.com] Sent: Tuesday, April 16, 2002 2:40 PM To: freebsd-ipfw@FreeBSD.ORG Subject: A posible usefull tool This may be a bit off topic however I though I'd forward it to the list as that it could be a good addition if we wanted to get more IPFW in production. A friend of mine recently ran across a good GUI tool for building iptables, ipfilter and OpenBSD's PF rule sets. and after taking a quick and dirty look at it I think this could be very useful to add a IPFW module to it. The tool is called fwbuilder available from www.fwbuilder.org I lake the C++ coding experience to be of any use to developing such an interface, but thought I's pass it along to the list in case there are any takers. Or even if someone happens to know a good ipfilter -> ipfw conversion tool that could be used to "get here from there". \\DB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 17 14:19:25 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from great4.greatschools.net (great4.greatschools.net [199.4.104.154]) by hub.freebsd.org (Postfix) with ESMTP id 19D6737B405 for ; Wed, 17 Apr 2002 14:19:17 -0700 (PDT) Received: from dh8.office.greatschools.net (dh8.office.greatschools.net [199.4.104.139]) by great4 (8.11.3/8.11.6) with ESMTP id g3FJQl679709 for ; Mon, 15 Apr 2002 12:26:49 -0700 (PDT) (envelope-from jdd@greatschools.net) Date: Mon, 15 Apr 2002 12:26:47 -0700 Mime-Version: 1.0 (Apple Message framework v481) Content-Type: text/plain; charset=US-ASCII; format=flowed Subject: traffic shaper not quite right From: John David Duncan To: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: Apple Mail (2.481) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I have an office with a 500Kbit/s partial T1 connection and two internal subnets (one of which is NAT firewalled). On the non-routing subnet I have a user who listens to streaming audio from shoutcast.net. I try to limit this whole segment with a 320Kbit/s queue on incoming traffic (rule 490), but the queue doesn't seem to do the right thing: the T1 is still saturated; the MRTG-type graphs continue to show flatline 500Kbps utilization; the bucket for the shoutcast user (bucket 49) does not show any dropped any packets. Is something wrong with the configuration? Can anyone help? It is a complex set of rules because there are three interfaces on the router. - JD fxp0 is at inet 199.4.104.158 [routable subnet] dc0 is at inet 64.165.109.140 [T1] dc1 is at inet 192.168.1.1 [NAT subnet] kern.clockrate: { hz = 100, tick = 10000, tickadj = 5, profhz = 1024, stathz = 128 } net.inet.ip.fw.one_pass: 0 #ipfw show # Rules 100,200,900,1000 are Anti-IP-spoofing: 00100 0 0 deny ip from 199.4.104.128/27 to any in recv dc0 00200 3 120 deny ip from 192.168.0.0/16 to any in recv dc0 00300 4636 129808 allow igmp from any to 224.0.0.0/24 00400 0 0 allow udp from any to 224.0.0.0/24 # 400 Kbps pipe: routing subnet <--> internet 00450 1407393 235757596 pipe 3 ip from 199.4.104.128/27 to not 192.168.0.0/16 in recv fxp0 00470 4315861 2430690170 pipe 4 ip from not 192.168.0.0/16 to 199.4.104.128/27 out xmit fxp0 # 320 Kbps queue: internet --> NAT subnet 00490 522572 566492862 queue 1 ip from not 199.4.104.128/27 to any out xmit dc1 00500 559 28248 unreach port tcp [...] setup 00600 0 0 unreach port udp [...] # natd -u -m -s -a 199.4.104.129 00700 3511249 2088173616 divert 8668 ip from any to any via dc0 00800 58 19269 allow udp from [...] 00900 0 0 deny log logamount 100 ip from not 199.4.104.128/27 to any in recv fxp0 01000 0 0 deny log logamount 100 ip from not 192.168.0.0/16 to any in recv dc1 65535 25608836 20535828203 allow ip from any to any bash-2.05# ipfw pipe show 00003: 400.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 199.4.104.139/49749 199.4.104.158/22 2357011 376527402 0 0 918 00004: 400.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 192.168.1.107/4081 199.4.104.154/25 6480903 2769629456 0 0 10 00010: 320.000 Kbit/s 0 ms 10 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 5 pipe 10 50 sl. 15 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x0000ffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 2 ip 0.0.0.0/0 0.0.1.2/0 53 7088 0 0 0 38 ip 0.0.0.0/0 0.0.1.102/0 12676 9377918 0 0 0 40 ip 0.0.0.0/0 0.0.1.104/0 2129 1354742 0 0 0 41 ip 0.0.0.0/0 0.0.1.105/0 23 3995 0 0 0 43 ip 0.0.0.0/0 0.0.1.107/0 13243 11747508 0 0 0 46 ip 0.0.0.0/0 0.0.1.110/0 10123 8827868 0 0 0 49 ip 0.0.0.0/0 0.0.1.113/0 402263 473946687 4 4541 0 50 ip 0.0.0.0/0 0.0.1.114/0 16602 10231616 0 0 64 52 ip 0.0.0.0/0 0.0.1.116/0 3497 3299405 0 0 0 54 ip 0.0.0.0/0 0.0.1.118/0 4283 3470449 0 0 0 56 ip 0.0.0.0/0 0.0.1.120/0 4064 3523496 0 0 0 57 ip 0.0.0.0/0 0.0.1.121/0 14342 16914636 0 0 0 58 ip 0.0.0.0/0 0.0.1.122/0 24860 18228508 0 0 0 59 ip 0.0.0.0/0 0.0.1.123/0 17697 15428527 0 0 0 63 ip 0.0.0.0/0 0.0.1.255/0 4824 366624 0 0 0 ------------------------------------------- John David Duncan Systems Administrator GreatSchools, Inc. (415) 977-0700 x115 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 17 14:31:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id B77C437B417 for ; Wed, 17 Apr 2002 14:31:13 -0700 (PDT) Received: (qmail 8670 invoked from network); 17 Apr 2002 21:31:13 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 17 Apr 2002 21:31:13 -0000 Message-ID: <3CBDE9A0.2050403@tenebras.com> Date: Wed, 17 Apr 2002 14:31:12 -0700 From: Michael Sierchio Reply-To: kudzu@tenebras.com User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020404 X-Accept-Language: en-us, en MIME-Version: 1.0 To: John David Duncan Cc: freebsd-ipfw@freebsd.org Subject: Re: traffic shaper not quite right References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG John David Duncan wrote: > Is something wrong with the configuration? Can anyone help? > 00450 1407393 235757596 pipe 3 ip from 199.4.104.128/27 to not > 192.168.0.0/16 in recv fxp0 > 00470 4315861 2430690170 pipe 4 ip from not 192.168.0.0/16 to > 199.4.104.128/27 out xmit fxp0 > > # 320 Kbps queue: internet --> NAT subnet > 00490 522572 566492862 queue 1 ip from not 199.4.104.128/27 to any > out xmit dc1 where are the config statements for the pipes and queue? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 17 16:32:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id D454237B419 for ; Wed, 17 Apr 2002 16:32:21 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g3HNWKv52079; Wed, 17 Apr 2002 16:32:20 -0700 (PDT) (envelope-from rizzo) Date: Wed, 17 Apr 2002 16:32:20 -0700 From: Luigi Rizzo To: John David Duncan Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: traffic shaper not quite right Message-ID: <20020417163220.A51958@iguana.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, first, you cannot do much to limit incoming traffic that uses a non-adaptive protocol: pipes on the input side work for TCP (because you effectively delay acks in the other direction, thus controlling the source), but if you have uncontrolled UDP streams you have no way to block them. Second, my impression is that there is a lot of traffic not matching any of your limiting rules and leaking to the default rule. You would have probably an easier-to-read ruleset if you avoided the net.inet.ip.fw.one_pass: 0 and tried to do nat before the shaping. Easier to read also means it becomes easier to see if there is traffic leaking to the default rule without going through any pipe. cheers luigi On Mon, Apr 15, 2002 at 12:26:47PM -0700, John David Duncan wrote: > Hello, > > I have an office with a 500Kbit/s partial T1 connection and two internal > subnets (one of which is NAT firewalled). On the non-routing subnet I > have a user who listens to streaming audio from shoutcast.net. I try to > limit this whole segment with a 320Kbit/s queue on incoming traffic > (rule 490), but the queue doesn't seem to do the right thing: the T1 is > still saturated; the MRTG-type graphs continue to show flatline 500Kbps > utilization; the bucket for the shoutcast user (bucket 49) does not show > any dropped any packets. > > Is something wrong with the configuration? Can anyone help? It is a > complex > set of rules because there are three interfaces on the router. > > - JD > > fxp0 is at inet 199.4.104.158 [routable subnet] > dc0 is at inet 64.165.109.140 [T1] > dc1 is at inet 192.168.1.1 [NAT subnet] > > kern.clockrate: { hz = 100, tick = 10000, tickadj = 5, profhz = 1024, > stathz = 128 } > net.inet.ip.fw.one_pass: 0 > > > #ipfw show > # Rules 100,200,900,1000 are Anti-IP-spoofing: > > 00100 0 0 deny ip from 199.4.104.128/27 to any in recv > dc0 > 00200 3 120 deny ip from 192.168.0.0/16 to any in recv dc0 > 00300 4636 129808 allow igmp from any to 224.0.0.0/24 > 00400 0 0 allow udp from any to 224.0.0.0/24 > > # 400 Kbps pipe: routing subnet <--> internet > 00450 1407393 235757596 pipe 3 ip from 199.4.104.128/27 to not > 192.168.0.0/16 in recv fxp0 > 00470 4315861 2430690170 pipe 4 ip from not 192.168.0.0/16 to > 199.4.104.128/27 out xmit fxp0 > > # 320 Kbps queue: internet --> NAT subnet > 00490 522572 566492862 queue 1 ip from not 199.4.104.128/27 to any > out xmit dc1 > > 00500 559 28248 unreach port tcp [...] setup > 00600 0 0 unreach port udp [...] > > # natd -u -m -s -a 199.4.104.129 > 00700 3511249 2088173616 divert 8668 ip from any to any via dc0 > 00800 58 19269 allow udp from [...] > 00900 0 0 deny log logamount 100 ip from not > 199.4.104.128/27 to any in recv fxp0 > 01000 0 0 deny log logamount 100 ip from not > 192.168.0.0/16 to any in recv dc1 > 65535 25608836 20535828203 allow ip from any to any > > > bash-2.05# ipfw pipe show > 00003: 400.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 199.4.104.139/49749 199.4.104.158/22 2357011 376527402 > 0 0 918 > 00004: 400.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 192.168.1.107/4081 199.4.104.154/25 6480903 2769629456 > 0 0 10 > 00010: 320.000 Kbit/s 0 ms 10 KB 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > q00001: weight 5 pipe 10 50 sl. 15 queues (64 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x0000ffff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 2 ip 0.0.0.0/0 0.0.1.2/0 53 7088 0 > 0 0 > 38 ip 0.0.0.0/0 0.0.1.102/0 12676 9377918 > 0 0 0 > 40 ip 0.0.0.0/0 0.0.1.104/0 2129 1354742 0 > 0 0 > 41 ip 0.0.0.0/0 0.0.1.105/0 23 3995 0 > 0 0 > 43 ip 0.0.0.0/0 0.0.1.107/0 13243 11747508 > 0 0 0 > 46 ip 0.0.0.0/0 0.0.1.110/0 10123 8827868 > 0 0 0 > 49 ip 0.0.0.0/0 0.0.1.113/0 402263 473946687 4 > 4541 0 > 50 ip 0.0.0.0/0 0.0.1.114/0 16602 10231616 > 0 0 64 > 52 ip 0.0.0.0/0 0.0.1.116/0 3497 3299405 0 > 0 0 > 54 ip 0.0.0.0/0 0.0.1.118/0 4283 3470449 0 > 0 0 > 56 ip 0.0.0.0/0 0.0.1.120/0 4064 3523496 0 > 0 0 > 57 ip 0.0.0.0/0 0.0.1.121/0 14342 16914636 > 0 0 0 > 58 ip 0.0.0.0/0 0.0.1.122/0 24860 18228508 > 0 0 0 > 59 ip 0.0.0.0/0 0.0.1.123/0 17697 15428527 > 0 0 0 > 63 ip 0.0.0.0/0 0.0.1.255/0 4824 366624 0 > 0 0 > > > > > > ------------------------------------------- > John David Duncan > Systems Administrator > GreatSchools, Inc. (415) 977-0700 x115 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 18 7:43:58 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 0B56937B400 for ; Thu, 18 Apr 2002 07:43:49 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g3IEgoh74146; Thu, 18 Apr 2002 17:42:50 +0300 (EEST) (envelope-from ru) Date: Thu, 18 Apr 2002 17:42:50 +0300 From: Ruslan Ermilov To: Michael Loftis Cc: Giannis Nikopoulos , freebsd-ipfw@FreeBSD.ORG Subject: Re: Load balancing with NATD Message-ID: <20020418144250.GF70982@sunbay.com> References: <200204071726.UAA12257@pontus.cs.uoi.gr> <3CB9B72B.7020908@wgops.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Bqc0IY4JZZt50bUr" Content-Disposition: inline In-Reply-To: <3CB9B72B.7020908@wgops.com> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Bqc0IY4JZZt50bUr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 14, 2002 at 10:06:51AM -0700, Michael Loftis wrote: > natd won't be doing what you want..... Not quite anyway, but what you=20 > might want to do is take the natd source, modify it to do your bidding=20 > (IE cahnge the round-robin alogrithm that it currently supports) and=20 > then run it that way. It shouldn't be too difficult. Someone also=20 > mentioned in another thread called (I think) dcpd or similar, basically= =20 > a divert(4) framework program to which you can plug in your own code to= =20 > do the dirty. >=20 Yes it does support this, but in a simplistic form. Search for the "LSNAT" word in the natd(8) and libalias(3) manpages. > Giannis Nikopoulos wrote: >=20 > >Hello everybody !!! > > > >I 'm just a new member of both the FreeBSD world and this list > >so I hope you will bare with my ignorance. > > > >This is the problem: > > > >I have a FreeBSD 4.5 running as a router between the outer world and > >a private network (192.168.0.0) of 3 servers. I use natd to handle > >traffic between the outer world and the PN. My goal (as part of a simple > >university course project) is to perform load balancing among the 3 > >back-end servers. I 've written down a load balancing algorithm, that > >uses reporting agents running on the 3 servers and reporting their load > >on a central coordinator running on the FreeBSD router. The question is: > > > >How can I use natd (or maybe another tool, say ipfw or some proxy, I don= 't > >know) in order to dynamically dispatch (redirect) incoming connections > >among the 3 back-end servers. As far as I can tell, natd performs=20 > >redirection > >(along with address translation) but in a static way (correct me if I 'm > >wrong, I 've already explained I 'm new to this stuff).=20 > > > >Is there any I way I can instruct natd to selectively choose to which=20 > >server > >it will redirect a connection by applying a set of rules or I will have = to > >hack into natd's source code. > > > >I don't know if I should have provided more feedback on this case but or= be > >a little more specific. Can anyone help ? > > > >Thanx in advance > > >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --Bqc0IY4JZZt50bUr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8vttqUkv4P6juNwoRAu9aAJ4oOmXveXTOffbHyNTAFH24LOPzfQCeLcs8 tHCGSsB/1t9CunCVh4V7sp8= =8emV -----END PGP SIGNATURE----- --Bqc0IY4JZZt50bUr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 18 8:58:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from free.wgops.com (dsl092-002-178.sfo1.dsl.speakeasy.net [66.92.2.178]) by hub.freebsd.org (Postfix) with ESMTP id 0E75937B416; Thu, 18 Apr 2002 08:58:33 -0700 (PDT) Received: from wgops.com ([10.1.2.207]) by free.wgops.com (8.11.3/8.11.3) with ESMTP id g3IFwVR65844; Thu, 18 Apr 2002 08:58:31 -0700 (PDT) (envelope-from mloftis@wgops.com) Message-ID: <3CBEED27.1030305@wgops.com> Date: Thu, 18 Apr 2002 08:58:31 -0700 From: Michael Loftis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Ruslan Ermilov Cc: Giannis Nikopoulos , freebsd-ipfw@FreeBSD.ORG Subject: Re: Load balancing with NATD References: <200204071726.UAA12257@pontus.cs.uoi.gr> <3CB9B72B.7020908@wgops.com> <20020418144250.GF70982@sunbay.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ruslan Ermilov wrote: >Yes it does support this, but in a simplistic form. Search for the >"LSNAT" word in the natd(8) and libalias(3) manpages. > You missed part of his question, he has his own algorithm he's using. The question wasn't if it supported it, but if it supported whacking out the RR mechanism in favor of some other algo. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 20 16:34:34 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from free.wgops.com (dsl092-002-178.sfo1.dsl.speakeasy.net [66.92.2.178]) by hub.freebsd.org (Postfix) with ESMTP id B80E137B41B for ; Sat, 20 Apr 2002 16:34:25 -0700 (PDT) Received: from wgops.com ([10.1.2.207]) by free.wgops.com (8.11.3/8.11.3) with ESMTP id g3KNYOR93507; Sat, 20 Apr 2002 16:34:24 -0700 (PDT) (envelope-from mloftis@wgops.com) Message-ID: <3CC1FB00.5040600@wgops.com> Date: Sat, 20 Apr 2002 16:34:24 -0700 From: Michael Loftis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us MIME-Version: 1.0 To: saign Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: References: <200204161504.g3GF4aZ08740@cluster2.tfb.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG *blink* *blink* The problem is your NAT line. After 00050 there is no external IP on outbound packets. After the divert line everything coming in is converted to internal representation, and everything going out is converted to external representation. Therefore 00400 needs to be modified to have the external address instead of the internal (192.168.x.x) address. saign wrote: >After reading the man page for dummynet, I\'m confused! > >xeon# ipfw pipe 1 config bw 384Kbit/s >xeon# ipfw pipe 2 config bw 384Kbit/s >xeon# ipfw add pipe 1 ip from 192.168.1.19 to any out >00400 pipe 1 ip from 192.168.1.19 to any out >xeon# ipfw add pipe 2 ip from any to 192.168.1.19 in >00450 pipe 2 ip from any to 192.168.1.19 in > >xeon# ipfw show >00050 827195 473961009 divert 8668 ip from any to any via fxp0 >00100 0 0 allow ip from any to any via lo0 >00200 0 0 deny ip from any to 127.0.0.0/8 >00300 0 0 deny ip from 127.0.0.0/8 to any >00400 0 0 pipe 1 ip from 192.168.1.19 to any out >00450 4283 4567749 pipe 2 ip from any to 192.168.1.19 in >65000 1732420 1009118949 allow ip from any to any >65535 0 0 deny ip from any to any > >xeon# ipfw pipe list >00001: 384.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) >droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 >00002: 384.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) >droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > >System is a router/dhcpd box. fxp0 is inet, fxp1 is internal > >Shouldn\'t the above \"cap\" both directions @ 384? >It appears to only cap download, but not upload. > >-Tony > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message