ea69 PF + Dummynet + FreeBSD 8.2 problem - The FreeBSD Forums
The FreeBSD Forums  

Go Back   The FreeBSD Forums > Server & Networking > Firewalls
Reload this Page PF + Dummynet + FreeBSD 8.2 problem
Register FAQ Calendar Search Today's Posts Mark Forums Read

Firewalls IPFW, PF, IPF (but not limited) related discussion

Reply
 
Thread Tools Display Modes
  #1  
Old July 8th, 2011, 22:42
msurucu msurucu is offline
Junior Member
  
Join Date: Dec 2008
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default PF + Dummynet + FreeBSD 8.2 problem
Hello,

I used PF and dummynet together about two years and worked fine.
Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't work anymore.
If any packet belong the client IP puts any pipe, it drops and pflog says it blocked by last pf rule. But it match previous rule.
If i disable (flush) the ipfw rules, packets pass normally.

Does anybody have same experience?

Code:
#tcpdump -nettt -i pflog0 -s 256 | grep 10.10.10.251
00:00:00.127448 rule 471/0(match): block in on bce1: 74.209.160.12.80 > 10.10.10.251.60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
00:00:00.054181 rule 471/0(match): block in on bce1: 74.209.160.12.80 > 10.10.10.251.60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
00:00:00.000935 rule 471/0(match): block in on bce1: 74.209.160.12.80 > 10.10.10.251.60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
00:00:00.217543 rule 471/0(match): block in on bce1: 74.209.160.12.80 > 10.10.10.251.60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
Code:
#pfctl -vvsr
@471 block drop in log on bce1 all
  [ Evaluations: 16084     Packets: 5254      Bytes: 432799      States: 0     ]
  [ Inserted: uid 0 pid 17409 ]
@472 block drop out log on bce1 all
  [ Evaluations: 19982     Packets: 14717     Bytes: 1078591     States: 0     ]
  [ Inserted: uid 0 pid 17409 ]
Code:
#uname -a
FreeBSD blabla.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Jul  8 17:04:18 EEST 2011     root@blabla.com:/usr/src/sys/amd64/compile/FW2KERNEL3  amd64
Code:
#cat FW2KERNEL3
...
options IPFIREWALL
#options IPSTEALTH
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options DUMMYNET
options HZ=8000
Code:
#cat /etc/rc.conf
...
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pf_rules="/etc/pf.conf"
firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
...
Code:
#cat pf.conf
#
#
###
### MACROS
###
#
dis_uc="bce1"
ic_uc="bce0"
TCP_FLAGS=""
KS="keep state"
tcp_services_in="{ 5004, 6891:6900, 9000 }"
utorrent_in="{ 22588 }"
tcp_services_out = "{ 23, www, auth, pop3, pop3s ... }
udp_services_out = "{ pop3s, imaps, ... }"
denied_services = "{ 113, 137, 138, 139 }"
icmp_types = "{ echoreq, unreach }"
...
### OPTIONS
###
#
set limit states      10000000
set limit src-nodes      50000
set limit frags          10000
set limit tables          5000
set limit table-entries 250000
###
### NORMALIZATION
###
scrub   in   all
scrub   out  all
###
### NAT
###
...
nat on $dis_uc from 10.10.10.0/24  to any ->  SOME.IP/32      
...
###
### FILTER
###
...
pass out quick on $dis_uc inet proto tcp from any to any port $tcp_services_out $TCP_FLAGS $KS
pass out quick on $dis_uc inet proto udp from any to any port $udp_services_out $KS
...
block in log on $dis_uc all
block out log on $dis_uc all
Code:
#cat /etc/ipfw.rules
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
cmd2="ipfw -q"
$cmd2 table 1 flush
$cmd2 table 1 add 10.10.10.251/32
$cmd2 pipe flush
$cmd pipe 1 ip from any to "table(1)" in
$cmd2 pipe 1 config bw 13Mbit/s
If i disable last input rule "block in log on $dis_uc all", then 10.10.10.251 has 12-13 Mbit limit.

Sorry for poor English.
Reply With Quote
  #2  
Old July 13th, 2011, 13:02
msurucu msurucu is offline
Junior Member
  
Join Date: Dec 2008
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Any suggestions?
Reply With Quote
  #3  
Old July 15th, 2011, 11:26
msurucu msurucu is offline
Junior Member
  
Join Date: Dec 2008
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Thumbs up Solved
I tried many configurations, one of them work.



Uploaded with ImageShack.us
Reply With Quote
  #4  
Old July 15th, 2011, 12:38
SirDice's Avatar
SirDice SirDice is offline
Moderator
  
Join Date: Nov 2008
Location: Rotterdam, Netherlands
Posts: 13,694
Thanks: 47
Thanked 2,020 Times in 1,859 Posts
Default
Don't use two different firewalls. Use either PF/ALTQ or IPFW/Dummynet, not a combination of both.
__________________
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
Reply With Quote
  #5  
Old July 15th, 2011, 12:47
msurucu msurucu is offline
Junior Member
  
Join Date: Dec 2008
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default
A combination of both better than one of them
ALTQ doesn't have bw limit per IP, so i must use dummynet for my network.
IPFW is good firewall but natd is not good solution for NAT process.
And about 4 or 5 years, it has worked very well.
(PFSense use same combination but include some hacking)
Reply With Quote
  #6  
Old July 15th, 2011, 13:06
SirDice's Avatar
SirDice SirDice is offline
Moderator
  
Join Date: Nov 2008
Location: Rotterdam, Netherlands
Posts: 13,694
Thanks: 47
Thanked 2,020 Times in 1,859 Posts
Default
Quote:
Originally Posted by msurucu View Post
A combination of both better than one of them
You'll run into some very odd interactions, as you've already found out.
__________________
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
Reply With Quote
Reply

Tags
dummynet, freebsd 8, ipfw, pf

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Solved] Problem with Dummynet atwinix Firewalls 2 August 24th, 2011 19:36
FreeBSD 8.0 + Dummynet blam Firewalls 9 February 26th, 2010 09:53
ng_car vs dummynet Antti Firewalls 2 February 18th, 2010 14:53
ipfw dummynet bandwith problem kenbukan Firewalls 1 December 1st, 2009 21:27
dummynet problem. azfar Firewalls 9 March 24th, 2009 18:20


All times are GMT +1. The time now is 22:17.

Contact Us - FreeBSD - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.
The mark FreeBSD is a registered trademark of The FreeBSD Foundation and is used by The FreeBSD Project with the permission of The FreeBSD Foundation.
Web protection and acceleration provided by CloudFlare
0