Other pf.conf and ipfw.rules

H

hac3ru

Hello,

I want to redirect all traffic from one class to the server's IP. I've done this using:
Code: 
rdr on $int_if proto {tcp udp} from $to_rdr to !172.23.0.1 port 80 -> 172.23.0.1 port 80
Now 172.23.0.1 is the server. $to_rdr is the class that needs to be redirected. This works great until I apply:
Code: 
table 1 flush
table 1 add 172.23.0.0/20

pipe 10 config bw 10MByte/s mask src-ip 0x00000fff  # 10MByte/s for download
pipe 11 config bw 5MByte/s mask dst-ip 0x00000fff   # 5MByte/s for upload

add pipe 10 all from table(1) to any in
add pipe 11 all from any to table(1) out
to ipfw.rules. Does anyone know why? If I comment
Code: 
 table 1 add 172.23.0.0/20
the redirecting works great.

Thanks in advance.
 
"Class" is a really ambiguous term here. Is it just an IP address?

pf.conf and ipfw.rules are for two entirely separate firewalls. It is not surprising that using both causes unexpected results.
 
Thank you for replying.

By class I mean 172.23.15.0/24.

I only want to use ipfw.rules to limit the bandwidth and pf.conf as a firewall. The last rule in ipfw.rules is
Code: 
add pass all from any to any
So, in theory, ipfw.rules won't act as a firewall, just as a traffic shaper.

// Later edit

By modifying ipfw.rules to
Code: 
table 1 flush
table 1 add 172.23.0.0/21
table 1 add 172.23.8.0/22
table 1 add 172.23.12.0/23
table 1 add 172.23.14.0/24
it adds every IP address from 172.23.0.0 to 172.23.14.255 to table 1 and I get it to work how I want (everyone from 172.23.15.0/24 is redirected using the rule from pf.conf). If I modify it back to
Code: 
table 1 flush
table 1 add 172.23.0.0/20
it stops redirecting. Any ideas why?
 
No, but I switched from IPFW to PF years ago. PF does have traffic shaping abilities, although I have not used them.
 
Me too, now I only work with PF, it causes fewer problems.
Code: 
FreeBSD host.mydomain 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
Code: 
root@server:~ # service pf status
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:46:26           Debug: Urgent

State Table                          Total             Rate
  current entries                       12
  searches                           79438           28.5/s
  inserts                              747            0.3/s
  removals                             735            0.3/s
Counters
  match                              42903           15.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
root@server:~ #
All is OK for now.
 
You must log in or register to reply here.
Back
Top