afec [IPFW] Dummynet and IPFW - don't limit the bandwith - The FreeBSD Forums
The FreeBSD Forums  

Go Back   The FreeBSD Forums > Server & Networking > Firewalls
Reload this Page [IPFW] Dummynet and IPFW - don't limit the bandwith
Register FAQ Calendar Search Today's Posts Mark Forums Read

Firewalls IPFW, PF, IPF (but not limited) related discussion

Reply
 
Thread Tools Display Modes
  #1  
Old July 25th, 2012, 14:55
panikaa panikaa is offline
Junior Member
  
Join Date: Jun 2012
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default Dummynet and IPFW - don't limit the bandwith
Hi!
I Have a problem, I have a dedicated server in OVH, FreeBSD 9.0 x64, kernel compiled with options IPFW + Dummynet and HZ.
I take my kernel config, ipfw rules, kldstat and anything else we need to help me.
kldstat:
Code:
kldstat
Id Refs Address            Size     Name
 1    1 0xffffffff80200000 1238498  kernel
Kernel config:
Code:
#ipfw
options		IPFIREWALL # required for IPFW
options		IPFIREWALL_VERBOSE # optional; logging
options 	IPFIREWALL_VERBOSE_LIMIT=10 # optional; don't get too many log entries
options 	IPDIVERT # needed for natd
options		DUMMYNET
options		HZ=1000
rc.conf
Code:
#ipfw
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
dummynet_enable="YES"
ipfw.rules
Code:
IPF="ipfw add"
ipfw -f flush
ipfw -f pipe flush
ipfw pipe 2 config bw 2Mbit/s
ipfw pipe 3 config bw 4Mbit/s
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow all from any to any 5525 in
$IPF 115 allow all from any to any 5525 out
$IPF 120 pipe 3 tcp from any to any 80 in
$IPF 134 pipe 3 tcp from any to any 80 out
and many more...
sysctl.conf
Code:
net.link.ether.ipfw=1
I need Help...
Thanks!
Reply With Quote
  #2  
Old July 25th, 2012, 21:13
dalecosp dalecosp is offline
Junior Member
  
Join Date: Nov 2010
Location: Joplin, MO
Posts: 21
Thanks: 4
Thanked 1 Time in 1 Post
Default
I'm not sure I understand what the problem is that you need to be helped with?

If you don't want to limit bandwidth, omit all the "pipe" lines.

If your pipes aren't being limited as you expect, I'm not *sure* what is wrong. It does seem a little strange, though, to configure the pipes before they are added. I might try moving the "pipe config" lines to a place *after* the pipe is configured.
__________________
Search before posting: google.com/search?q=searchterm * R.T.F(riendly!).M: freebsd.org/handbook *
Reply With Quote
  #3  
Old July 27th, 2012, 07:57
phoenix's Avatar
phoenix phoenix is offline
Moderator
  
Join Date: Nov 2008
Location: Kamloops, BC, Canada
Posts: 3,179
Thanks: 43
Thanked 715 Times in 587 Posts
Default
Rules are checked in order, and the first match wins.

You are allowing all traffic out, near the start of your ruleset.

Then, at the end, you have your pipe rules, which will never match.

Check the ouput of # ipfw show to see which packets are matching.

I've found that when you want to do advanced packet filtering, like traffic shaping, you don't want to use stateful filtering. At least, not with IPFW. It gets complicated.

Also, be very specific in your rules. Include both the direction (in recv / out xmit) and the network interface.

Something like the following should do what you want:
Code:
 IPF="ipfw"
$IPF -f flush
$IPF -f pipe flush
$IPF pipe 2 config bw 2Mbit/s
$IPF pipe 3 config bw 4Mbit/s

#loopback
$IPF add 10 allow ip from any to any via lo0
$IPF add 20 deny all from any to 127.0.0.0/8
$IPF add 30 deny all from 127.0.0.0/8 to any 

$IPF add 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF add 100 pipe 3 tcp from any to any 20-22,25,53,80 out xmit $PUB
$IPF add 110 pipe 3 tcp from any 20-22,25,53,80 to any in recv $PUB established

$IPF add 120 pipe 2 tcp from any to any 5525 in recv $PUB
$IPF add 130 pipe 2 tcp from any 5525 to any out xmit $PUB established

...etc...
'pipe' can be treated like an 'allow'. The rule matches, the packet is sent to the pipe, and the searth terminates.

Remove the sysctl option you listed. It enables layer-2 (ethernet) filtering, and causes every packet to be sent through the ruleset twice (once with MAC addresses, then again with IP addresses):
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Solved] IPF & IPFW & DUMMYNET ,System PANIC Deadman-s Firewalls 3 March 7th, 2011 11:45
ipfw with nat and dummynet as modules jdratlif Firewalls 1 December 30th, 2010 18:13
traffic bandwidth limit with dummynet bored_to_death Firewalls 3 June 28th, 2010 19:55
ipfw dummynet bandwith problem kenbukan Firewalls 1 December 1st, 2009 21:27
ipfw and dummynet for linux? Antti Firewalls 2 June 25th, 2009 16:32


All times are GMT +1. The time now is 12:11.

Contact Us - FreeBSD - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.
The mark FreeBSD is a registered trademark of The FreeBSD Foundation and is used by The FreeBSD Project with the permission of The FreeBSD Foundation.
Web protection and acceleration provided by CloudFlare
0