Date: Tue, 10 Sep 2002 11:43:17 +0900 From: "nuro_pro" <maillist@withdoc.net> To: <freebsd-questions@freebsd.org> Subject: dummynet doesn't works Message-ID: <003e01c25873$db27b0d0$0200a8c0@SUPPER>
next in thread | raw e-mail | index | archive | help
I set it up my samba server bw limiting as 80.000 Kbit/s follows.
But it still works at 300KB/s above speed.
What is wrong?
kernel compile options
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=200
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options ICMP_BANDLIM
options DUMMYNET
options IPFIREWALL_FORWARD
options IPDIVERT
uname -a
FreeBSD locahost 4.6-STABLE FreeBSD 4.6-STABLE #9: Tue Sep 10 09:36:48 KST
2002 vinu@localhost:/usr/obj/usr/src/sys/nute i386
my firewall script
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
fwcmd="/sbin/ipfw"
outside_network_device="xl0"
outside_network="192.168.0.0"
outside_network_mask="255.255.255.0"
outside_network_ip="192.168.0.4"
dns1="168.126.63.1"
dns2="168.126.63.2"
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# ${fwcmd} add deny all from ${outside_network}:${outside_network_mask} to
any in via ${inside_network_device}
${fwcmd} add deny all from any to 10.0.0.0/8 via ${outside_network_device}
${fwcmd} add deny all from any to 172.16.0.0/12 via
${outside_network_device}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${outside_network_device}
${fwcmd} add deny all from any to 169.254.0.0/16 via
${outside_network_device}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${outside_network_device}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${outside_network_device}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${outside_network_device}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${outside_network_device}
${fwcmd} add deny all from 172.16.0.0/12 to any via
${outside_network_device}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${outside_network_device}
${fwcmd} add deny all from 169.254.0.0/16 to any via
${outside_network_device}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${outside_network_device}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${outside_network_device}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${outside_network_device}
# Allow established connections with minimal overhead
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup
# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25 setup
# ssmtp
${fwcmd} add pass tcp from any to any 465 setup
# pop
${fwcmd} add pass tcp from any to any 110 setup
# imap
${fwcmd} add pass tcp from any to any 143 setup
# pop3s
${fwcmd} add pass tcp from any to any 995 setup
# imaps
${fwcmd} add pass tcp from any to any 993 setup
# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add pass tcp from any to any 21 in via ${outside_network_device}
setup
# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 in via
${outside_network_device} setup
# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${outside_network_device}
setup
# Reject&Log all setup of incoming connections from the outside
# ${fwcmd} add deny log tcp from any to any in via ${outside_network_device}
setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any
${fwcmd} add pass tcp from any to ${dns1} 53
${fwcmd} add pass tcp from any to ${dns2} 53
${fwcmd} add pass tcp from ${dns1} 53 to any
${fwcmd} add pass tcp from ${dns2} 53 to any
${fwcmd} add pass tcp from any to 192.168.0.4 53
${fwcmd} add pass tcp from 192.168.0.4 53 to any
${fwcmd} add pass udp from any to 192.168.0.4 53
${fwcmd} add pass udp from 192.168.0.4 53 to any
#${fwcmd} add check-state
#${fwcmd} queue 1 config pipe 10
#${fwcmd} pipe 10 config bw 10bit/s
#${fwcmd} queue 1 config pipe 1 weight 1
${fwcmd} pipe 1 config bw 10KByte/s
# SMB - Allow local traffic
#${fwcmd} add pass log tcp from any to any 137 via ${outside_network_device}
keep-state
#${fwcmd} add pass log tcp from any to any 138 via ${outside_network_device}
keep-state
#${fwcmd} add pipe 1 log tcp from any to any 139 via
${outside_network_device}
#${fwcmd} add pipe 1 log tcp from any to any 445 via
${outside_network_device}
#${fwcmd} add queue 1 log tcp from any to any 139 in recv
${outside_network_device}
#${fwcmd} add queue 1 log tcp from any to any 139 out xmit
${outside_network_device}
#${fwcmd} add queue 1 log tcp from any to any 445 via
${outside_network_device}
#${fwcmd} add pipe 1 tcp from any to any 137,139 in
${outside_network_device}
${fwcmd} add pipe 1 tcp from any to any 137,139 via
${outside_network_device}
#${fwcmd} add queue 1 config pipe 1 weight 1
#${fwcmd} pipe 1 tcp from any to any 139
#${fwcmd} pipe 1 tcp from any to any 445
#${fwcmd} add pass log tcp from any 139 to any via ${outside_network_device}
#${fwcmd} add pass log tcp from any 445 to any via ${outside_network_device}
#${fwcmd} add pass log udp from any to any 137 via ${outside_network_device}
#${fwcmd} add pass log udp from any to any 138 via ${outside_network_device}
#${fwcmd} add pass log udp from any to any 139 via ${outside_network_device}
#${fwcmd} add pass log udp from any to any 445 via ${outside_network_device}
# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${outside_network_device}
# TRACEROUTE - Allow outgoing
${fwcmd} add pass udp from any to any 33434-33523 out via
${outside_network_device}
# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via
${outside_network_device}
${fwcmd} add pass icmp from any to any icmptypes 0 in via
${outside_network_device}
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via
${outside_network_device}
# edonkey
${fwcmd} add pass log tcp from any to any 4662 via ${outside_network_device}
keep-state
${fwcmd} add pass log tcp from any to any 4661 via ${outside_network_device}
keep-state
${fwcmd} add pass log tcp from any 4661 to any via ${outside_network_device}
keep-state
${fwcmd} add pass log tcp from any 4662 to any via ${outside_network_device}
keep-state
${fwcmd} add pass log tcp from any to any 4665 via ${outside_network_device}
keep-state
${fwcmd} add pass log tcp from any 4665 to any via ${outside_network_device}
keep-state
${fwcmd} add pass log udp from any to any 4665 via ${outside_network_device}
keep-state
${fwcmd} add pass log udp from any 4665 to any via ${outside_network_device}
keep-state
# Deny the rest of them
#${fwcmd} add deny icmp from any to any
# ipfw pipe list00001: 80.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets)
droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000q00001: weight
1 pipe 1 50 sl. 0 queues (1 buckets) droptail mask: 0x00
0x00000000/0x0000 -> 0x00000000/0x0000
# ipfw queue list00001: 80.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets)
droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000q00001: weight
1 pipe 1 50 sl. 0 queues (1 buckets) droptail mask: 0x00
0x00000000/0x0000 -> 0x00000000/0x0000
# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from any to 10.0.0.0/8 via xl0
00400 deny ip from any to 172.16.0.0/12 via xl0
00500 deny ip from any to 0.0.0.0/8 via xl0
00600 deny ip from any to 169.254.0.0/16 via xl0
00700 deny ip from any to 192.0.2.0/24 via xl0
00800 deny ip from any to 224.0.0.0/4 via xl0
00900 deny ip from any to 240.0.0.0/4 via xl0
01000 deny ip from 10.0.0.0/8 to any via xl0
01100 deny ip from 172.16.0.0/12 to any via xl0
01200 deny ip from 0.0.0.0/8 to any via xl0
01300 deny ip from 169.254.0.0/16 to any via xl0
01400 deny ip from 192.0.2.0/24 to any via xl0
01500 deny ip from 224.0.0.0/4 to any via xl0
01600 deny ip from 240.0.0.0/4 to any via xl0
01700 allow tcp from any to any established
01800 allow ip from any to any frag
01900 allow tcp from any to any 80 setup
02000 allow tcp from any to any 25 setup
02100 allow tcp from any to any 465 setup
02200 allow tcp from any to any 110 setup
02300 allow tcp from any to any 143 setup
02400 allow tcp from any to any 995 setup
02500 allow tcp from any to any 993 setup
02600 allow tcp from any 20 to any 1024-65535 setup
02700 allow tcp from any to any 21 in recv xl0 setup
02800 allow log logamount 200 tcp from any to any 22 in recv xl0 setup
02900 reset tcp from any to any 113 in recv xl0 setup
03000 allow tcp from any to any setup
03100 allow udp from any to 168.126.63.1 53
03200 allow udp from any to 168.126.63.2 53
03300 allow udp from 168.126.63.1 53 to any
03400 allow udp from 168.126.63.2 53 to any
03500 allow tcp from any to 168.126.63.1 53
03600 allow tcp from any to 168.126.63.2 53
03700 allow tcp from 168.126.63.1 53 to any
03800 allow tcp from 168.126.63.2 53 to any
03900 allow tcp from any to 192.168.0.4 53
04000 allow tcp from 192.168.0.4 53 to any
04100 allow udp from any to 192.168.0.4 53
04200 allow udp from 192.168.0.4 53 to any
04300 pipe 1 tcp from any to any 137,139 via xl0
04400 allow udp from any 123 to any 123 via xl0
04500 allow udp from any to any 33434-33523 out xmit xl0
04600 allow icmp from any to any out xmit xl0 icmptype 8
04700 allow icmp from any to any in recv xl0 icmptype 0
04800 allow icmp from any to any via xl0 icmptype 3,4,11,12
04900 allow log logamount 200 tcp from any to any 4662 keep-state via xl0
05000 allow log logamount 200 tcp from any to any 4661 keep-state via xl0
05100 allow log logamount 200 tcp from any 4661 to any keep-state via xl0
05200 allow log logamount 200 tcp from any 4662 to any keep-state via xl0
05300 allow log logamount 200 tcp from any to any 4665 keep-state via xl0
05400 allow log logamount 200 tcp from any 4665 to any keep-state via xl0
05500 allow log logamount 200 udp from any to any 4665 keep-state via xl0
05600 allow log logamount 200 udp from any 4665 to any keep-state via xl0
65535 deny ip from any to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003e01c25873$db27b0d0$0200a8c0>