ipfw-classifyd - need explanation

J

jishnu

Hello.

I am kind of new to FreeBSD. I've managed to get router work (ipfw+ipnat) but tried also to use ipfw-classifyd (to block or shape p2p). There I have a problem. Can't find some manuals to ipfw-classifyd usage. It doesn't work (no block or cut traffic for p2p)

Here are my files (finally tried to work on examples to understand it).

Firewall rules:
Code: 
#!/bin/sh
#
# Sample ipfw(8) script for use with ipfw-classifyd
#
# $Id: rc.firewall.example 741 2010-03-09 17:29:48Z mtm $
#

fwcmd=/sbin/ipfw
ifn=em0

# Remove all other rules.
#
${fwcmd} -f flush

# Setup a throttled P2P pipe.
#
${fwcmd} pipe 1 config bw 256Kbit/s queue 30
${fwcmd} pipe 2 config bw 256Kbit/s queue 30
# Divert all TCP and UPD packets through our classifier
#
${fwcmd} add 400 divert 7777 tcp from any to any
${fwcmd} add 410 divert 7777 udp from any to any

# Pass unclassified packets
${fwcmd} add 1000 allow all from any to any
# Pipes for throttling packets comming out of the divert(4) socket
#
${fwcmd} add 64000 pipe 1 log ip from any to any in diverted
${fwcmd} add 64001 pipe 2 log ip from any to any out diverted

ipfw-classifyd.conf
Code: 
bittorrent      = 1000
edonkey         = 1000
fasttrack       = 1000
gnutella        = 1000
ftp             = 1000
Here I tried with other port numers (am I correct, it's destination port of classified packets? Tried 64000 etc) still hasn't worked. So I tried bittorrent, ftp etc. and the traffic is not shaped.

The system is FreeBSD 8.2-RELEASE-p3 GENERIC KERNEL. Needed modules are loaded.
Code: 
Id Refs Address    Size     Name
 1   17 0xc0400000 bd97b4   kernel
 2    1 0xc4a84000 37000    ipl.ko
 3    1 0xc4cbd000 4000     ipdivert.ko
 4    2 0xc4cd0000 11000    ipfw.ko
 5    1 0xc4cc1000 d000     libalias.ko
 6    1 0xc4d91000 e000     dummynet.ko
Please enlighten me :))
 
As far as I know it's not part of FreeBSD and there's barely any documentation. So your guesses are probably as good as ours.
 
ipfw classifyd can not block or deny, classifyd has not implemented, running pipes. You've installed all the protocols, see folder l7-protocols,
Malware folder, extra, protocols, testing, file_types, copy all the *.pat into /usr/local/etc/ipfw-classifyd/protocols.

ipfw-classifyd, current version is from 2010, ipfw-classify-r741
Greetings from Germany
Jens
 
All *.pat are and were in /usr/local/etc/ipfw-classifyd/protocols directory. I am using latest version (ipfw-classifyd-r741) as well.

Seems I will have to cut the traffic manually by shape specific ports.
 
Code: 
#!/bin/sh
#
# Sample ipfw(8) script for use with ipfw-classifyd
#
# $Id: rc.firewall.example 741 2010-03-09 17:29:48Z mtm $
#

fwcmd=/sbin/ipfw
ifn=bfe0

# Remove all other rules.
#
${fwcmd} -f flush

# Setup a throttled P2P pipe.
#
${fwcmd} pipe 1 config bw 256Kbit/s queue 30
${fwcmd} pipe 2 config bw 256Kbit/s queue 30

# Divert all TCP and UPD packets through our classifier
#
${fwcmd} add 400 divert 7777 tcp from any to any via ${ifn}
${fwcmd} add 410 divert 7777 udp from any to any via ${ifn}

# Pass unclassified packets
${fwcmd} add 1000 allow ip from any to any

# Pipes for throttling packets comming out of the divert(4) socket
#
${fwcmd} add 64000 pipe 1 log ip from any to any in diverted
${fwcmd} add 64001 pipe 2 log ip from any to any out diverted
 
You must log in or register to reply here.
Back
Top