1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PF + Dummynet + FreeBSD 8.2 problem

Discussion in 'Firewalls' started by msurucu, Jul 8, 2011.

  1. msurucu

    msurucu New Member

    Messages:
    10
    Likes Received:
    0
    Hello,

    I used PF and dummynet together about two years and worked fine.
    Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't work anymore.
    If any packet belong the client IP puts any pipe, it drops and pflog says it blocked by last pf rule. But it match previous rule.
    If i disable (flush) the ipfw rules, packets pass normally.

    Does anybody have same experience?

    Code:
    #tcpdump -nettt -i pflog0 -s 256 | grep [B]10.10.10.251[/B]
    00:00:00.127448 rule 471/0(match): block in on bce1: 74.209.160.12.80 > [B]10.10.10.251[/B].60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
    00:00:00.054181 rule 471/0(match): block in on bce1: 74.209.160.12.80 > [B]10.10.10.251[/B].60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
    00:00:00.000935 rule 471/0(match): block in on bce1: 74.209.160.12.80 > [B]10.10.10.251[/B].60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
    00:00:00.217543 rule 471/0(match): block in on bce1: 74.209.160.12.80 > [B]10.10.10.251[/B].60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
    
    Code:
    #pfctl -vvsr
    @471 block drop in log on bce1 all
      [ Evaluations: 16084     Packets: 5254      Bytes: 432799      States: 0     ]
      [ Inserted: uid 0 pid 17409 ]
    @472 block drop out log on bce1 all
      [ Evaluations: 19982     Packets: 14717     Bytes: 1078591     States: 0     ]
      [ Inserted: uid 0 pid 17409 ]
    
    Code:
    #uname -a
    FreeBSD blabla.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Jul  8 17:04:18 EEST 2011     root@blabla.com:/usr/src/sys/amd64/compile/FW2KERNEL3  amd64
    Code:
    #cat FW2KERNEL3
    ...
    options IPFIREWALL
    #options IPSTEALTH
    options IPFIREWALL_DEFAULT_TO_ACCEPT
    options IPFIREWALL_FORWARD
    options IPFIREWALL_VERBOSE
    options IPFIREWALL_VERBOSE_LIMIT=50
    options DUMMYNET
    options HZ=8000
    Code:
    #cat /etc/rc.conf
    ...
    pf_enable="YES"
    pflog_enable="YES"
    pflog_logfile="/var/log/pflog"
    pf_rules="/etc/pf.conf"
    firewall_enable="YES"
    firewall_type="open"
    firewall_script="/etc/ipfw.rules"
    firewall_logging="YES"
    ...
    Code:
    #cat pf.conf
    #
    #
    ###
    ### MACROS
    ###
    #
    dis_uc="bce1"
    ic_uc="bce0"
    TCP_FLAGS=""
    KS="keep state"
    tcp_services_in="{ 5004, 6891:6900, 9000 }"
    utorrent_in="{ 22588 }"
    tcp_services_out = "{ 23, www, auth, pop3, pop3s ... }
    udp_services_out = "{ pop3s, imaps, ... }"
    denied_services = "{ 113, 137, 138, 139 }"
    icmp_types = "{ echoreq, unreach }"
    ...
    ### OPTIONS
    ###
    #
    set limit states      10000000
    set limit src-nodes      50000
    set limit frags          10000
    set limit tables          5000
    set limit table-entries 250000
    ###
    ### NORMALIZATION
    ###
    scrub   in   all
    scrub   out  all
    ###
    ### NAT
    ###
    ...
    nat on $dis_uc from [B]10.10.10.0[/B]/24  to any ->  SOME.IP/32      
    ...
    ###
    ### FILTER
    ###
    ...
    pass out quick on $dis_uc inet proto tcp from any to any port $tcp_services_out $TCP_FLAGS $KS
    pass out quick on $dis_uc inet proto udp from any to any port $udp_services_out $KS
    ...
    block in log on $dis_uc all
    block out log on $dis_uc all
    
    Code:
    #cat /etc/ipfw.rules
    #!/bin/sh
    ipfw -q -f flush
    cmd="ipfw -q add"
    cmd2="ipfw -q"
    $cmd2 table 1 flush
    $cmd2 table 1 add [B]10.10.10.251[/B]/32
    $cmd2 pipe flush
    $cmd pipe 1 ip from any to "table(1)" in
    $cmd2 pipe 1 config bw 13Mbit/s
    
    If i disable last input rule "block in log on $dis_uc all", then 10.10.10.251 has 12-13 Mbit limit.

    Sorry for poor English.
     
  2. msurucu

    msurucu New Member

    Messages:
    10
    Likes Received:
    0
    Any suggestions?
     
  3. msurucu

    msurucu New Member

    Messages:
    10
    Likes Received:
    0
    Solved

    I tried many configurations, one of them work.

    [​IMG]

    Uploaded with ImageShack.us
     
  4. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,365
    Likes Received:
    0
    Don't use two different firewalls. Use either PF/ALTQ or IPFW/Dummynet, not a combination of both.
     
  5. msurucu

    msurucu New Member

    Messages:
    10
    Likes Received:
    0
    A combination of both better than one of them :)
    ALTQ doesn't have bw limit per IP, so i must use dummynet for my network.
    IPFW is good firewall but natd is not good solution for NAT process.
    And about 4 or 5 years, it has worked very well.
    (PFSense use same combination but include some hacking)
     
  6. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,365
    Likes Received:
    0
    You'll run into some very odd interactions, as you've already found out.