From owner-freebsd-ipfw@FreeBSD.ORG Sun May 22 09:09:07 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BD8616A41C for ; Sun, 22 May 2005 09:09:07 +0000 (GMT) (envelope-from aymeric.muntz@free.fr) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F07F43D1F for ; Sun, 22 May 2005 09:09:07 +0000 (GMT) (envelope-from aymeric.muntz@free.fr) Received: from serveur.thrruss.org (unknown [81.56.231.36]) by postfix4-2.free.fr (Postfix) with ESMTP id 33A6A31D9A5 for ; Sun, 22 May 2005 11:09:05 +0200 (CEST) Received: from artemis (artemis [192.168.2.2]) by serveur.thrruss.org (8.13.0/8.13.0) with SMTP id j4MA1SVF016770 for ; Sun, 22 May 2005 12:01:28 +0200 From: "Aymeric MUNTZ" To: Date: Sun, 22 May 2005 11:09:20 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 Subject: (no subject) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2005 09:09:07 -0000 L'ιquipe technique Orcalys Assistance technique: 0892.70.25.56 (0,35 €/mn) Service client: 0826.02.39.39 (0,15 €/mn) http://www.orcalys.fr From owner-freebsd-ipfw@FreeBSD.ORG Sun May 22 09:27:31 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 046EA16A41C for ; Sun, 22 May 2005 09:27:31 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83C4543D4C for ; Sun, 22 May 2005 09:27:30 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from artemis (unknown [81.56.231.36]) by postfix4-1.free.fr (Postfix) with SMTP id 28AD3317D77 for ; Sun, 22 May 2005 11:27:29 +0200 (CEST) From: "Alexandre D." To: Date: Sun, 22 May 2005 11:27:44 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 Subject: ipfw+dummynet+WF2Q X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2005 09:27:31 -0000 Hi all, I have a specific question about WF2Q+ included in dummynet. I configured a box with dummynet. Each time a user get connected, a bandwidth is allocated to him thanks to 2 pipes (burst limit "in" and "out"). According to what I understand of WF2Q+, queues equalize the bandwidth in a pipe. What I would like is getting the total bandwidth equalized between the pipes. Sometimes I have users using a lot of bandwidth. It doesn't matter if they are alone, but If there are several users, I would like the traffic to be equalized between them. Here are a sample of my config (I have 2Mbps guaranteed bandwidth and 5 users: 3x512/128kbps; 1x1024/128, 1x128/32kbps). # ipfw list ... 00011 divert 8668 ip from any to any via fxp0 00012 allow ip from 172.20.1.254 to any 00013 allow ip from any to 172.20.1.254 ... 00028 allow ip from me to any 00029 allow ip from any to me 01218 pipe 218 ip from any to 172.20.1.109 in 01219 pipe 219 ip from 172.20.1.109 to any in 01444 pipe 444 ip from any to 172.20.1.222 in 01445 pipe 445 ip from 172.20.1.222 to any in 06004 pipe 1004 ip from any to 172.20.1.2 in 06005 pipe 1005 ip from 172.20.1.2 to any in 06016 pipe 1016 ip from any to 172.20.1.8 in 06017 pipe 1017 ip from 172.20.1.8 to any in 06030 pipe 1030 ip from any to 172.20.1.15 in 06031 pipe 1031 ip from 172.20.1.15 to any in 06032 pipe 1032 ip from any to 172.20.1.16 in 06033 pipe 1033 ip from 172.20.1.16 to any in 06084 pipe 1084 ip from any to 172.20.1.42 in 06085 pipe 1085 ip from 172.20.1.42 to any in ... 31004 allow ip from any to 172.20.1.2 31005 allow ip from 172.20.1.2 to any 31016 allow ip from any to 172.20.1.8 31017 allow ip from 172.20.1.8 to any 31030 allow ip from any to 172.20.1.15 31031 allow ip from 172.20.1.15 to any 31032 allow ip from any to 172.20.1.16 31033 allow ip from 172.20.1.16 to any 31084 allow ip from any to 172.20.1.42 31085 allow ip from 172.20.1.42 to any ... # ipfw pipe list 01004: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01005: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01016: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01017: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01030: 1.024 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01031: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01032: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01033: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01084: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01085: 32.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... I guess that I need to build a main pipe in order to determine the total bandwidth and build queues in it, but the trafic would not be "piped" in the users'pipes if I do that! Thank you for your help Best regards Alex From owner-freebsd-ipfw@FreeBSD.ORG Sun May 22 11:11:44 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8523016A41C for ; Sun, 22 May 2005 11:11:44 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0724943D55 for ; Sun, 22 May 2005 11:11:44 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from artemis (unknown [81.56.231.36]) by postfix4-1.free.fr (Postfix) with SMTP id BF8CD317D8F for ; Sun, 22 May 2005 13:11:42 +0200 (CEST) From: "Alexandre D." To: Date: Sun, 22 May 2005 13:11:58 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 Subject: RE: ipfw+dummynet+WF2Q X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2005 11:11:44 -0000 Maybe it is possible to play with: net.inet.ip.fw.one_pass: 1 so that the paquet continues in the firewall and then reaches an other pipe which would regroup several pipes. I would give something like this: ipfw list ... 00011 divert 8668 ip from any to any via fxp0 00012 allow ip from 172.20.1.254 to any 00013 allow ip from any to 172.20.1.254 ... 00028 allow ip from me to any 00029 allow ip from any to me 06004 pipe 1004 ip from any to 172.20.1.2 in 06005 pipe 1005 ip from 172.20.1.2 to any in 06016 pipe 1016 ip from any to 172.20.1.8 in 06017 pipe 1017 ip from 172.20.1.8 to any in 06030 pipe 1030 ip from any to 172.20.1.15 in 06031 pipe 1031 ip from 172.20.1.15 to any in 06032 pipe 1032 ip from any to 172.20.1.16 in 06033 pipe 1033 ip from 172.20.1.16 to any in 06084 pipe 1084 ip from any to 172.20.1.42 in 06085 pipe 1085 ip from 172.20.1.42 to any in ... /* reinjection in the firewall for WF2Q */ ipfw add queue 1 ip from any to 172.20.1.2 in ipfw queue 1 config pipe 1 ipfw add queue 1 ip from any to 172.20.1.2 to any in ipfw queue 1 config pipe 2 ipfw add queue 1 ip from any to 172.20.1.8 in ipfw queue 1 config pipe 1 ipfw add queue 1 ip from any to 172.20.1.8 to any in ipfw queue 1 config pipe 2 ipfw add queue 1 ip from any to 172.20.1.15 in ipfw queue 1 config pipe 1 ipfw add queue 1 ip from any to 172.20.1.15 to any in ipfw queue 1 config pipe 2 /* same for other users */ ... 31004 allow ip from any to 172.20.1.2 # ipfw pipe list 00001: 2048.00 Kbit/s 00002: 2048.00 Kbit/s 01004: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01005: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01016: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01017: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01030: 1.024 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01031: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01032: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01033: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01084: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01085: 32.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... -----Message d'origine----- De : owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Alexandre D. Envoyι : dimanche 22 mai 2005 11:28 ΐ : freebsd-ipfw@freebsd.org Objet : ipfw+dummynet+WF2Q Hi all, I have a specific question about WF2Q+ included in dummynet. I configured a box with dummynet. Each time a user get connected, a bandwidth is allocated to him thanks to 2 pipes (burst limit "in" and "out"). According to what I understand of WF2Q+, queues equalize the bandwidth in a pipe. What I would like is getting the total bandwidth equalized between the pipes. Sometimes I have users using a lot of bandwidth. It doesn't matter if they are alone, but If there are several users, I would like the traffic to be equalized between them. Here are a sample of my config (I have 2Mbps guaranteed bandwidth and 5 users: 3x512/128kbps; 1x1024/128, 1x128/32kbps). # ipfw list ... 00011 divert 8668 ip from any to any via fxp0 00012 allow ip from 172.20.1.254 to any 00013 allow ip from any to 172.20.1.254 ... 00028 allow ip from me to any 00029 allow ip from any to me 01218 pipe 218 ip from any to 172.20.1.109 in 01219 pipe 219 ip from 172.20.1.109 to any in 01444 pipe 444 ip from any to 172.20.1.222 in 01445 pipe 445 ip from 172.20.1.222 to any in 06004 pipe 1004 ip from any to 172.20.1.2 in 06005 pipe 1005 ip from 172.20.1.2 to any in 06016 pipe 1016 ip from any to 172.20.1.8 in 06017 pipe 1017 ip from 172.20.1.8 to any in 06030 pipe 1030 ip from any to 172.20.1.15 in 06031 pipe 1031 ip from 172.20.1.15 to any in 06032 pipe 1032 ip from any to 172.20.1.16 in 06033 pipe 1033 ip from 172.20.1.16 to any in 06084 pipe 1084 ip from any to 172.20.1.42 in 06085 pipe 1085 ip from 172.20.1.42 to any in ... 31004 allow ip from any to 172.20.1.2 31005 allow ip from 172.20.1.2 to any 31016 allow ip from any to 172.20.1.8 31017 allow ip from 172.20.1.8 to any 31030 allow ip from any to 172.20.1.15 31031 allow ip from 172.20.1.15 to any 31032 allow ip from any to 172.20.1.16 31033 allow ip from 172.20.1.16 to any 31084 allow ip from any to 172.20.1.42 31085 allow ip from 172.20.1.42 to any ... # ipfw pipe list 01004: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01005: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01016: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01017: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01030: 1.024 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01031: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01032: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01033: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01084: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... 01085: 32.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail ... I guess that I need to build a main pipe in order to determine the total bandwidth and build queues in it, but the trafic would not be "piped" in the users'pipes if I do that! Thank you for your help Best regards Alex _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon May 23 11:01:53 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BE9B16A41F for ; Mon, 23 May 2005 11:01:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02DEC43D4C for ; Mon, 23 May 2005 11:01:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4NB1qLQ004067 for ; Mon, 23 May 2005 11:01:52 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4NB1q7f004062 for freebsd-ipfw@freebsd.org; Mon, 23 May 2005 11:01:52 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 23 May 2005 11:01:52 GMT Message-Id: <200505231101.j4NB1q7f004062@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 11:01:53 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca 2 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 23 11:02:35 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 407BA16A41C for ; Mon, 23 May 2005 11:02:35 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AEFD43D48 for ; Mon, 23 May 2005 11:02:35 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4NB2Ync004574 for ; Mon, 23 May 2005 11:02:34 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4NB2XKI004567 for ipfw@freebsd.org; Mon, 23 May 2005 11:02:33 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 23 May 2005 11:02:33 GMT Message-Id: <200505231102.j4NB2XKI004567@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 11:02:35 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 23 13:32:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C2C116A41C for ; Mon, 23 May 2005 13:32:16 +0000 (GMT) (envelope-from ovidiue@unixware.ro) Received: from mail3.dr.myx.net (ns3.dr.myx.net [217.10.193.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F39443D1F for ; Mon, 23 May 2005 13:32:15 +0000 (GMT) (envelope-from ovidiue@unixware.ro) Received: by mail3.dr.myx.net (mydomain.myx.net, from userid 48) id 88A223B8B96; Mon, 23 May 2005 16:32:13 +0300 (EEST) Received: from 83.103.223.26 ([83.103.223.26]) by webmail.unixware.ro (Webmail) with HTTP for ; Mon, 23 May 2005 16:32:13 +0300 Message-ID: <1116855133.4291db5d6eb55@webmail.unixware.ro> Date: Mon, 23 May 2005 16:32:13 +0300 From: ovidiue@unixware.ro To: freebsd-ipfw@freebsd.org References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: MyDomain Webmail X-Originating-IP: 83.103.223.26 Subject: QoS and guaranteed bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 13:32:16 -0000 Hello guys What is the best sollution (and also simple) to guarantee a bandwidth? For example if I have an 1024 kbps conection and i want to share this to 30 users and also guarantee 32 kbps to every user so if one of them is doing intense FTP the others to easely browse the net what should I use for that? I am looking for a solution like (and better then) HBT on Linux. I've googled for a while but there are not so many resources on that. Best Regards, ovidiu From owner-freebsd-ipfw@FreeBSD.ORG Mon May 23 16:04:10 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC04E16A41C for ; Mon, 23 May 2005 16:04:10 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5481343D1F for ; Mon, 23 May 2005 16:04:09 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id DB72ABC071; Mon, 23 May 2005 19:04:07 +0300 (EEST) Received: from R3B (unknown [62.38.169.49])by smtp.freemail.gr (Postfix) with ESMTP id 70864BC02F; Mon, 23 May 2005 19:04:06 +0300 (EEST) Message-ID: <004901c55fb0$e1c93570$0100000a@R3B> From: "Chris Dionissopoulos" To: , References: <1116855133.4291db5d6eb55@webmail.unixware.ro> Date: Mon, 23 May 2005 19:02:51 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="ISO-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: Re: QoS and guaranteed bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Chris Dionissopoulos List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 16:04:10 -0000 > Hello guys > > What is the best sollution (and also simple) to guarantee a bandwidth? > > For example if I have an 1024 kbps conection and i want to share > this to 30 users and also guarantee 32 kbps to every user so if > one of them is doing intense FTP the others to easely browse the > net what should I use for that? I am looking for a solution like > (and better then) HBT on Linux. > > I've googled for a while but there are not so many resources on that. > > Best Regards, > ovidiu > Hello guys > > What is the best sollution (and also simple) to guarantee a bandwidth? > > For example if I have an 1024 kbps conection and i want to share > this to 30 users and also guarantee 32 kbps to every user so if > one of them is doing intense FTP the others to easely browse the > net what should I use for that? I am looking for a solution like > (and better then) HBT on Linux. > > I've googled for a while but there are not so many resources on that. > > Best Regards, > ovidiu Hi, you can use dummynet (man ipfw, man dummynet) to define the maximun bandwidth and/or a WFQ priority for each user. Theoriticaly by assign a proper WFQ priority to each user, you guarantee the minimum {[User_Priority / Sum(user_priorities)] * Line_Bandwidth} to each of them. In your case: Calculate your priority ~~~~~~~~~~~~~~~~~ The rule says that the priority in WFQ is calculated if you divide your total bandiwdth with the minimum allocated bandwidth to each user. So we have: WFQ_User_Priority = 1024Kbps / 32Kbps = 32 **This gives at least { 32 / (32 x 32 ) * 1024 } Kbps = 32Kbps to each user. Assign to each user using ipfw pipes+queues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A very simple ipfw configuration: ipfw pipe 1 config bw 1024Kbit/s queue 20Kbytes ipfw queue 1 weight 32 mask src-ip 0xffffffff queue 10kbytes ipfw add queue 1 ip from $YOUR_LAN_NET to any xmit $WAN_INTERFACE I hope that this helps you a little. Chris. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 23 18:14:46 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 548A016A41C for ; Mon, 23 May 2005 18:14:46 +0000 (GMT) (envelope-from ovidiue@unixware.ro) Received: from mail3.dr.myx.net (ns3.dr.myx.net [217.10.193.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE92443D48 for ; Mon, 23 May 2005 18:14:44 +0000 (GMT) (envelope-from ovidiue@unixware.ro) Received: by mail3.dr.myx.net (mydomain.myx.net, from userid 48) id C9E3A3B84AB; Mon, 23 May 2005 21:14:42 +0300 (EEST) Received: from 83.103.223.26 ([83.103.223.26]) by webmail.unixware.ro (Webmail) with HTTP for ; Mon, 23 May 2005 21:14:42 +0300 Message-ID: <1116872082.42921d92b020d@webmail.unixware.ro> Date: Mon, 23 May 2005 21:14:42 +0300 From: ovidiue@unixware.ro To: freebsd-ipfw@freebsd.org References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: MyDomain Webmail X-Originating-IP: 83.103.223.26 Subject: RE: QoS and guaranteed bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 18:14:46 -0000 I must have two different values for every user: guaranteed bandwidth and maximum bandwidth Citat "Alexandre D." : > The best way to assign guaranteed bandwidth is to play with dummynet. > 1) you create a pipe for each user defining the bandwidth limit (burst) > 2) you do not assign more bandwidth than the available bandwidth. > > In fact, the burst is a real value (technical value), while the "guaranteed > bandwidth" is a theorical value (total guaranteed bandwidth divided by > number of users). > For example, if I have 4 users with different burst limits: > -A: 128k > -B: 128k > -C: 256k > -D: 512k > > In the case of a 1024k total guaranteed bandwidth, the guaranteed bandwidth > per user would be: > -A: 128k > -B: 128k > -C: 256k > -D: 512k > > But for 512k, the guaranteed bandwidth per user would be: > -A: 64k > -B: 64k > -C: 128k > -D: 512k > > You can play to assign more bandwidth per user (for example 64k for user A > and 128k for user B), but this is a bit more difficult. In this case, you > must use WFQ (Weighted Fair Queueing). > > Cheers > > Alex > > > > -----Message d'origine----- > De : owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]De la part de ovidiue@unixware.ro > Envoyι : lundi 23 mai 2005 15:32 > ΐ : freebsd-ipfw@freebsd.org > Objet : QoS and guaranteed bandwidth > > > Hello guys > > What is the best sollution (and also simple) to guarantee a bandwidth? > > For example if I have an 1024 kbps conection and i want to share > this to 30 users and also guarantee 32 kbps to every user so if > one of them is doing intense FTP the others to easely browse the > net what should I use for that? I am looking for a solution like > (and better then) HBT on Linux. > > I've googled for a while but there are not so many resources on that. > > Best Regards, > ovidiu > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Mon May 23 20:29:06 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7852D16A41C for ; Mon, 23 May 2005 20:29:06 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id F27F043D49 for ; Mon, 23 May 2005 20:29:05 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id C61E2BC071; Mon, 23 May 2005 23:29:04 +0300 (EEST) Received: from R3B (unknown [62.38.169.49])by smtp.freemail.gr (Postfix) with ESMTP id 67C22BC070; Mon, 23 May 2005 23:29:03 +0300 (EEST) Message-ID: <008801c55fd5$d6e7dec0$0100000a@R3B> From: "Chris Dionissopoulos" To: , References: <1116872082.42921d92b020d@webmail.unixware.ro> Date: Mon, 23 May 2005 23:27:26 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="ISO-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: Re: QoS and guaranteed bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Chris Dionissopoulos List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 20:29:06 -0000 >I must have two different values for every user: guaranteed bandwidth and > maximum bandwidth > > Citat "Alexandre D." : This adds a little complexity to the previous procedure. Variables: ~~~~~~~~ $N = group number of users [1,2,.....] $USER_MAX_BW[$N] max bandwidth of a single user in group $N. $USER_MIN_BW[$N] min bandwidth of a single user in group $N. $USERS_SUBNET[$N], a group subnet (of users) in CIDR format. $WAN_INTERFACE, your gateway wan interface name. Procedure: ======== 1. Calculate your priority ~~~~~~~~~~~~~~~~~~~ The rule says that the priority in WFQ is calculated if you divide your total bandiwdth with the minimum allocated bandwidth to each user. So we have: $WFQ_Priority[$N] = $USER_MAX_BW[$N] / $USER_MIN_BW[$N]. 2.Add a proper Pipe and Queue ~~~~~~~~~~~~~~~~~~~~~~~~~ ipfw pipe $N config bw $USER_MAX_BW[$N] queue 20Kbytes ipfw queue $N pipe $N weight $WFQ_Priority[$N] mask src-ip 0xffffffff queue 10kbytes ipfw add queue $N ip from $USERS_SUBNET[$N] to any xmit out $WAN_INTERFACE example: ======= 2 groups of users: Group1 - 192.168.0.0/28 , Bandwidth = min 32Kbps - max 256kbps Group2 - 192.168.0.16/28 , Bandwidth = min 32Kbps - max 384Kbps $wan = fxp0 (I assume that your line has at least the minimum bandwidth you guarantee. in our case is 32users x 32kbps = 1024Kbps ) 1.priorities: $wfq[1] = 256 / 32 = 12 $wfq[2] = 384/ 32 = 16 2.ipfw commands: ipfw pipe 1 config bw 256Kb/s queue 20Kbytes ipfw queue 1 pipe 1 weight 12 mask src-ip 0xffffffff queue 10kbytes ipfw add queue 1 ip from 192.168.0.0/28 to any xmit out fxp0 ipfw pipe 2 config bw 384Kb/s queue 20Kbytes ipfw queue 2 pipe 2 weight 16 mask src-ip 0xffffffff queue 10kbytes ipfw add queue 2 ip from 192.168.0.16/28 to any xmit out fxp0 So simple! Chris. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 23 21:19:28 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F006816A41C for ; Mon, 23 May 2005 21:19:27 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70A3243D1D for ; Mon, 23 May 2005 21:19:27 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from serveur.thrruss.org (unknown [81.56.231.36]) by postfix4-1.free.fr (Postfix) with ESMTP id 6F159317C82 for ; Mon, 23 May 2005 23:19:26 +0200 (CEST) Received: from artemis (artemis [192.168.2.2]) by serveur.thrruss.org (8.13.0/8.13.0) with SMTP id j4NMBpBx005048 for ; Tue, 24 May 2005 00:11:52 +0200 From: "Alexandre D." To: Date: Mon, 23 May 2005 23:19:47 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 In-Reply-To: <008801c55fd5$d6e7dec0$0100000a@R3B> Importance: Normal Subject: RE: QoS and guaranteed bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 21:19:28 -0000 I have another procedure to submit to you all: 1) sysctl net.inet.ip.fw.one_pass=0 this allow to set several pipes for each data 2) add a pipe for each user in order limit the user bandwidth: ipfw pipe $pipe config bw ${kbps}Kbit/s ipfw add $fwrule pipe $pipein ip from any to $clientip in 3) add a global pipe for the global bandwidth and then add a weighted queue for each users: for this, we use weight (ie: 1 for 128, 2 for 256...) ipfw pipe 1 config bw ${global_bw}Kbit/s ipfw queue $queue config pipe 1 weight 1 # for 128 user ipfw queue $queue config pipe 2 weight 2 # for 128k user # then redirect the traffic ipfw add $fwrule queue $queue ip from any to $clientip in of course we do the same for outgoing traffic For the guaranteed bandwidth, one more time, it is given by a "weight calculation". What do you think of it? Alex -----Message d'origine----- De : owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Chris Dionissopoulos Envoyι : lundi 23 mai 2005 22:27 ΐ : ovidiue@unixware.ro; freebsd-ipfw@freebsd.org Objet : Re: QoS and guaranteed bandwidth >I must have two different values for every user: guaranteed bandwidth and > maximum bandwidth > > Citat "Alexandre D." : This adds a little complexity to the previous procedure. Variables: ~~~~~~~~ $N = group number of users [1,2,.....] $USER_MAX_BW[$N] max bandwidth of a single user in group $N. $USER_MIN_BW[$N] min bandwidth of a single user in group $N. $USERS_SUBNET[$N], a group subnet (of users) in CIDR format. $WAN_INTERFACE, your gateway wan interface name. Procedure: ======== 1. Calculate your priority ~~~~~~~~~~~~~~~~~~~ The rule says that the priority in WFQ is calculated if you divide your total bandiwdth with the minimum allocated bandwidth to each user. So we have: $WFQ_Priority[$N] = $USER_MAX_BW[$N] / $USER_MIN_BW[$N]. 2.Add a proper Pipe and Queue ~~~~~~~~~~~~~~~~~~~~~~~~~ ipfw pipe $N config bw $USER_MAX_BW[$N] queue 20Kbytes ipfw queue $N pipe $N weight $WFQ_Priority[$N] mask src-ip 0xffffffff queue 10kbytes ipfw add queue $N ip from $USERS_SUBNET[$N] to any xmit out $WAN_INTERFACE example: ======= 2 groups of users: Group1 - 192.168.0.0/28 , Bandwidth = min 32Kbps - max 256kbps Group2 - 192.168.0.16/28 , Bandwidth = min 32Kbps - max 384Kbps $wan = fxp0 (I assume that your line has at least the minimum bandwidth you guarantee. in our case is 32users x 32kbps = 1024Kbps ) 1.priorities: $wfq[1] = 256 / 32 = 12 $wfq[2] = 384/ 32 = 16 2.ipfw commands: ipfw pipe 1 config bw 256Kb/s queue 20Kbytes ipfw queue 1 pipe 1 weight 12 mask src-ip 0xffffffff queue 10kbytes ipfw add queue 1 ip from 192.168.0.0/28 to any xmit out fxp0 ipfw pipe 2 config bw 384Kb/s queue 20Kbytes ipfw queue 2 pipe 2 weight 16 mask src-ip 0xffffffff queue 10kbytes ipfw add queue 2 ip from 192.168.0.16/28 to any xmit out fxp0 So simple! Chris. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon May 23 21:58:58 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55CB116A41C for ; Mon, 23 May 2005 21:58:58 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 054F243D1F for ; Mon, 23 May 2005 21:58:57 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-1.free.fr (Postfix) with ESMTP id 8666E1734A2; Mon, 23 May 2005 23:58:56 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 98EF9407E; Mon, 23 May 2005 23:58:58 +0200 (CEST) Date: Mon, 23 May 2005 23:58:58 +0200 From: Jeremie Le Hen To: ovidiue@unixware.ro Message-ID: <20050523215858.GJ850@obiwan.tataz.chchile.org> References: <1116855133.4291db5d6eb55@webmail.unixware.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1116855133.4291db5d6eb55@webmail.unixware.ro> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org Subject: Re: QoS and guaranteed bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 21:58:58 -0000 Hi Ovidiu, > For example if I have an 1024 kbps conection and i want to share > this to 30 users and also guarantee 32 kbps to every user so if > one of them is doing intense FTP the others to easely browse the > net what should I use for that? I am looking for a solution like > (and better then) HBT on Linux. Linux' HTB is a kind of simpler clone of CBQ (this does NOT mean it's less powerful, in fact they are supposed to be equivalent). The proposed solutions with Dummynet are neat, but you can achieve this with ALTQ too, as it supports CBQ. However ALTQ is only available on RELENG_5 and newer versions of FreeBSD. Forget to use KAME's one on RELENG_4. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Mon May 23 23:11:14 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2EEC16A41C for ; Mon, 23 May 2005 23:11:13 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43C4B43D1D for ; Mon, 23 May 2005 23:11:12 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] ([200.152.82.190]) by msrv.matik.com.br (8.13.1/8.12.11) with ESMTP id j4NN9iPM005335 for ; Mon, 23 May 2005 20:09:46 -0300 (BRST) (envelope-from asstec@matik.com.br) From: Suporte Matik To: freebsd-ipfw@freebsd.org Date: Mon, 23 May 2005 20:09:09 -0300 User-Agent: KMail/1.8 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200505232009.11261.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: QoS and guaranteed bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 23:11:14 -0000 Certainly you can actually only limit bandwidth but not guaranty any=20 bandwidth, same for priority even if you may get a certain penalising=20 effect when using queues weight but this if works is far away from=20 giving you a minimum ever available bandwidth or a priority. You may have your reason to do this queue weighting here but IMO it=20 may be interesting to define global pipes for protocol[port] first=20 and then penalising the other ip pipes with heigher queue weights to=20 get a certain priority.=20 Hans On Monday 23 May 2005 18:19, Alexandre D. wrote:=20 > I have another procedure to submit to you all: > > 1) sysctl net.inet.ip.fw.one_pass=3D0 > this allow to set several pipes for each data > 2) add a pipe for each user in order limit the user bandwidth: > ipfw pipe $pipe config bw ${kbps}Kbit/s > ipfw add $fwrule pipe $pipein ip from any to $clientip in > 3) add a global pipe for the global bandwidth and then add a > weighted queue for each users: > for this, we use weight (ie: 1 for 128, 2 for 256...) > ipfw pipe 1 config bw ${global_bw}Kbit/s > ipfw queue $queue config pipe 1 weight 1 # for 128 user > ipfw queue $queue config pipe 2 weight 2 # for 128k user > # then redirect the traffic > ipfw add $fwrule queue $queue ip from any to $clientip in > > of course we do the same for outgoing traffic > > For the guaranteed bandwidth, one more time, it is given by a > "weight calculation". > > What do you think of it? > > Alex > > > -----Message d'origine----- > De : owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Chris > Dionissopoulos > Envoy=E9 : lundi 23 mai 2005 22:27 > =C0 : ovidiue@unixware.ro; freebsd-ipfw@freebsd.org > Objet : Re: QoS and guaranteed bandwidth > > >I must have two different values for every user: guaranteed > > bandwidth and maximum bandwidth > > > > Citat "Alexandre D." : > > This adds a little complexity to the previous procedure. > > Variables: > ~~~~~~~~ > $N =3D group number of users [1,2,.....] > $USER_MAX_BW[$N] max bandwidth of a single user in group $N. > $USER_MIN_BW[$N] min bandwidth of a single user in group $N. > $USERS_SUBNET[$N], a group subnet (of users) in CIDR format. > $WAN_INTERFACE, your gateway wan interface name. > > > Procedure: > =3D=3D=3D=3D=3D=3D=3D=3D > 1. Calculate your priority > ~~~~~~~~~~~~~~~~~~~ > The rule says that the priority in WFQ is calculated if you divide > your total bandiwdth > with the minimum allocated bandwidth to each user. So we have: > > $WFQ_Priority[$N] =3D $USER_MAX_BW[$N] / $USER_MIN_BW[$N]. > > > 2.Add a proper Pipe and Queue > ~~~~~~~~~~~~~~~~~~~~~~~~~ > ipfw pipe $N config bw $USER_MAX_BW[$N] queue 20Kbytes > ipfw queue $N pipe $N weight $WFQ_Priority[$N] mask src-ip > 0xffffffff queue 10kbytes > > ipfw add queue $N ip from $USERS_SUBNET[$N] to any xmit out > $WAN_INTERFACE > > > example: > =3D=3D=3D=3D=3D=3D=3D > 2 groups of users: > Group1 - 192.168.0.0/28 , Bandwidth =3D min 32Kbps - max 256kbps > Group2 - 192.168.0.16/28 , Bandwidth =3D min 32Kbps - max 384Kbps > $wan =3D fxp0 > > (I assume that your line has at least the minimum bandwidth you > guarantee. in our case is 32users x 32kbps =3D 1024Kbps ) > > 1.priorities: > > $wfq[1] =3D 256 / 32 =3D 12 > $wfq[2] =3D 384/ 32 =3D 16 > > 2.ipfw commands: > > ipfw pipe 1 config bw 256Kb/s queue 20Kbytes > ipfw queue 1 pipe 1 weight 12 mask src-ip 0xffffffff queue > 10kbytes ipfw add queue 1 ip from 192.168.0.0/28 to any xmit out > fxp0 ipfw pipe 2 config bw 384Kb/s queue 20Kbytes > ipfw queue 2 pipe 2 weight 16 mask src-ip 0xffffffff queue 10kbytes > ipfw add queue 2 ip from 192.168.0.16/28 to any xmit out fxp0 > > > So simple! > > Chris. > > ___________________________________________________________________ >_ http://www.freemail.gr - =E4=F9=F1=E5=DC=ED =F5=F0=E7=F1=E5=F3=DF=E1 =E7= =EB=E5=EA=F4=F1=EF=ED=E9=EA=EF=FD > =F4=E1=F7=F5=E4=F1=EF=EC=E5=DF=EF=F5. http://www.freemail.gr - free email= service for the > Greek-speaking. _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > A mensagem foi scaneada pelo sistema de e-mail e pode ser > considerada segura. Service fornecido pelo Datacenter Matik=20 > https://datacenter.matik.com.br =2D-=20 Infomatik http://info.matik.com.br A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Tue May 24 17:05:40 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48BF116A41C for ; Tue, 24 May 2005 17:05:40 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from mx1.enertiatech.com (h204-9-110-143.enertiatech.com [204.9.110.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04D7243D1D for ; Tue, 24 May 2005 17:05:39 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from localhost (localhost [127.0.0.1]) by mx1.enertiatech.com (Postfix) with ESMTP id E7F6462B6; Tue, 24 May 2005 11:04:41 -0600 (MDT) Received: from mx1.enertiatech.com ([127.0.0.1]) by localhost (mx1.enertiatech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51124-06; Tue, 24 May 2005 11:04:22 -0600 (MDT) Received: from [10.0.0.34] (h10-0-0-34.enertiasoft.com [10.0.0.34]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.enertiatech.com (Postfix) with ESMTP id EA27062F9; Tue, 24 May 2005 11:04:21 -0600 (MDT) In-Reply-To: <428DEB28.5030505@mac.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Stephane Raimbault Date: Tue, 24 May 2005 11:05:18 -0600 To: Chuck Swiger X-Mailer: Apple Mail (2.730) X-Virus-Scanned: amavisd-new at enertiasoft.com Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 17:05:40 -0000 Hi Chuck, Thank you for your suggestions... I think it helped me solve the problem. It seems I needed to add more rules... although they seem redundant to me, but they have clearly made an improvement and I'm no longer getting those dns related errors in ipfw.log and in /var/log/ messages. This is what my rules look like now # Allow setup of incoming TCP connections ${fwcmd} add pass tcp from any to ${ip1} 53 setup ${fwcmd} add pass tcp from any to ${ip2} 53 setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${ip1} keep-state ${fwcmd} add pass udp from any 53 to ${ip2} keep-state ${fwcmd} add pass udp from ${ip1} to any 53 keep-state ${fwcmd} add pass udp from ${ip2} to any 53 keep-state # Allow access to our DNS ${fwcmd} add pass udp from any to ${ip1} 53 keep-state ${fwcmd} add pass udp from any to ${ip2} 53 keep-state ${fwcmd} add pass udp from ${ip1} 53 to any keep-state ${fwcmd} add pass udp from ${ip2} 53 to any keep-state I had this before: # Allow setup of incoming TCP connections ${fwcmd} add pass tcp from any to ${ip1} 53 setup ${fwcmd} add pass tcp from any to ${ip2} 53 setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${ip1} to any 53 keep-state ${fwcmd} add pass udp from ${ip2} to any 53 keep-state # Allow access to our DNS ${fwcmd} add pass udp from any to ${ip1} 53 keep-state ${fwcmd} add pass udp from any to ${ip2} 53 keep-state The rules seem redundant to me... but the following seems to prove otherwise: 01300 0 0 allow tcp from any to 10.0.1.11 53 setup 01400 18 864 allow tcp from any to 204.9.110.134 53 setup 05000 0 0 allow udp from any 53 to 10.0.1.11 keep-state 05100 758 87930 allow udp from any 53 to 204.9.110.134 keep-state 05200 0 0 allow udp from 10.0.1.11 to any 53 keep-state 05300 1152 133847 allow udp from 204.9.110.134 to any 53 keep-state 05400 78 10143 allow udp from any to 10.0.1.11 53 keep-state 05500 11542 1474155 allow udp from any to 204.9.110.134 53 keep-state 05600 0 0 allow udp from 10.0.1.11 53 to any keep-state 05700 848 103507 allow udp from 204.9.110.134 53 to any keep-state If someone could help explain the details as to why this worked a bit more, I'd appreciate it. It seems painfully obvious, but it still looks redundant to me. I'm a bit confused as you can tell. Thank you, Stephane On 20-May-05, at 7:50 AM, Chuck Swiger wrote: > Stephane Raimbault wrote: > >> Does anyone have any further thoughts on this, or could maybe >> point me in a direction that could help me solve the problem? >> > > Take a look at "ipfw -a l", and see which rules are being matched. > The output from that command is critical for understanding what the > firewall is actually doing, and should help you figure out what is > going on. [1] > > Do these make your DNS work better: > > ipfw add 1 pass udp from any to any 53 > ipfw add pass udp from any 53 to any > > ...? > > These rules are too open, and should just be used for testing, but > you can see if the problem is with the firewall rules you have now, > and adjust things from there. > > -- > -Chuck > > [1]: It would also help *us* figure out what the issue is. If you > still need help after this, providing more info would be useful. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Tue May 24 18:09:40 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3167416A41C for ; Tue, 24 May 2005 18:09:40 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00B4E43D1F for ; Tue, 24 May 2005 18:09:39 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (Xserve/8.12.11/smtpout12/MantshX 4.0) with ESMTP id j4OI9YXS015245; Tue, 24 May 2005 11:09:35 -0700 (PDT) Received: from [192.168.1.6] (pool-68-161-53-96.ny325.east.verizon.net [68.161.53.96]) (authenticated bits=0) by mac.com (Xserve/smtpin01/MantshX 4.0) with ESMTP id j4OI9WTL014873; Tue, 24 May 2005 11:09:33 -0700 (PDT) In-Reply-To: References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 24 May 2005 14:09:26 -0400 To: Stephane Raimbault X-Mailer: Apple Mail (2.730) Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 18:09:40 -0000 On May 24, 2005, at 1:05 PM, Stephane Raimbault wrote: > Thank you for your suggestions... I think it helped me solve the > problem. It seems I needed to add more rules... although they seem > redundant to me, but they have clearly made an improvement and I'm > no longer getting those dns related errors in ipfw.log and in /var/ > log/messages. I hate to ask something silly, but you do have a check-state rule somewhere, right? The rules you've added permit traffic in both directions, which shouldn't be needed unless the stateful matching wasn't working right. Anyway, you don't need to use stateful rules if you permit traffic in both ways, but the possible tradeoff is making the systems more accessible to scanning and some DoS attacks using forged traffic. Not using keep-state with UDP is quite reasonable, but you might consider adding a "keep-state" with your TCP rules for port 53. You should also be aware that your nameservers will want to make outbound connections using TCP themselves sometimes.... -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Tue May 24 18:26:09 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED60916A41C for ; Tue, 24 May 2005 18:26:09 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from mx1.enertiatech.com (h204-9-110-143.enertiatech.com [204.9.110.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5E1643D1F for ; Tue, 24 May 2005 18:26:09 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from localhost (localhost [127.0.0.1]) by mx1.enertiatech.com (Postfix) with ESMTP id 8D57A62B2; Tue, 24 May 2005 12:25:11 -0600 (MDT) Received: from mx1.enertiatech.com ([127.0.0.1]) by localhost (mx1.enertiatech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 53909-06; Tue, 24 May 2005 12:24:55 -0600 (MDT) Received: from [10.0.0.34] (h10-0-0-34.enertiasoft.com [10.0.0.34]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.enertiatech.com (Postfix) with ESMTP id 7ADCF61D2; Tue, 24 May 2005 12:24:55 -0600 (MDT) In-Reply-To: <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Stephane Raimbault Date: Tue, 24 May 2005 12:25:51 -0600 To: Charles Swiger X-Mailer: Apple Mail (2.730) X-Virus-Scanned: amavisd-new at enertiasoft.com Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 18:26:10 -0000 On 24-May-05, at 12:09 PM, Charles Swiger wrote: > On May 24, 2005, at 1:05 PM, Stephane Raimbault wrote: > >> Thank you for your suggestions... I think it helped me solve the >> problem. It seems I needed to add more rules... although they >> seem redundant to me, but they have clearly made an improvement >> and I'm no longer getting those dns related errors in ipfw.log and >> in /var/log/messages. >> > > I hate to ask something silly, but you do have a check-state rule > somewhere, right? > it's not silly..., what's silly is now I'm asking how would I check :) or what would the rule look like. > The rules you've added permit traffic in both directions, which > shouldn't be needed unless the stateful matching wasn't working > right. Anyway, you don't need to use stateful rules if you permit > traffic in both ways, but the possible tradeoff is making the > systems more accessible to scanning and some DoS attacks using > forged traffic. > > Not using keep-state with UDP is quite reasonable, but you might > consider adding a "keep-state" with your TCP rules for port 53. > You should also be aware that your nameservers will want to make > outbound connections using TCP themselves sometimes.... > you've actually kinda answered the other question I neglected to ask... which is, would I really need the keep-state, since it seemed to work without it being there when I did my testing earlier today. Regarding adding keep-state to my tcp rule... would this not do the same thing... ? am I confused... or is it just insecure of doing it this way: # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established Thanks, Stephane. > -- > -Chuck > > From owner-freebsd-ipfw@FreeBSD.ORG Tue May 24 20:13:03 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED57416A41C for ; Tue, 24 May 2005 20:13:02 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B27F43D49 for ; Tue, 24 May 2005 20:13:02 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/8.12.11/smtpout13/MantshX 4.0) with ESMTP id j4OKD0Lg022797; Tue, 24 May 2005 13:13:01 -0700 (PDT) Received: from [192.168.1.6] (pool-68-161-53-96.ny325.east.verizon.net [68.161.53.96]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 4.0) with ESMTP id j4OKCwXE017427; Tue, 24 May 2005 13:12:59 -0700 (PDT) In-Reply-To: References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <0E1A6107-FB85-4D9F-9873-7E5FBE8EB4C5@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 24 May 2005 16:12:52 -0400 To: Stephane Raimbault X-Mailer: Apple Mail (2.730) Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 20:13:03 -0000 On May 24, 2005, at 2:25 PM, Stephane Raimbault wrote: >> I hate to ask something silly, but you do have a check-state rule >> somewhere, right? >> > it's not silly..., what's silly is now I'm asking how would I > check :) or what would the rule look like. You've have an "ipfw add check-state" rule somewhere. >> The rules you've added permit traffic in both directions, which >> shouldn't be needed unless the stateful matching wasn't working >> right. Anyway, you don't need to use stateful rules if you permit >> traffic in both ways, but the possible tradeoff is making the >> systems more accessible to scanning and some DoS attacks using >> forged traffic. >> >> Not using keep-state with UDP is quite reasonable, but you might >> consider adding a "keep-state" with your TCP rules for port 53. >> You should also be aware that your nameservers will want to make >> outbound connections using TCP themselves sometimes.... > > you've actually kinda answered the other question I neglected to > ask... which is, would I really need the keep-state, since it > seemed to work without it being there when I did my testing earlier > today. Regarding adding keep-state to my tcp rule... would this > not do the same thing... ? am I confused... or is it just insecure > of doing it this way: > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established Stateful matching of connections can be more secure than passing any traffic which is established, but that depends on the other rules which are being used. However, the IPFW manpage has a good description of this: The typical use of dynamic rules is to keep a closed firewall configura- tion, but let the first TCP SYN packet from the inside network install a dynamic rule for the flow so that packets belonging to that session will be allowed through the firewall: ipfw add check-state ipfw add allow tcp from my-subnet to any setup keep-state ipfw add deny tcp from any to any -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Tue May 24 20:29:19 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3098416A41C for ; Tue, 24 May 2005 20:29:19 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from mx1.enertiatech.com (h204-9-110-143.enertiatech.com [204.9.110.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6FC943D48 for ; Tue, 24 May 2005 20:29:18 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from localhost (localhost [127.0.0.1]) by mx1.enertiatech.com (Postfix) with ESMTP id B6AA16309; Tue, 24 May 2005 14:28:20 -0600 (MDT) Received: from mx1.enertiatech.com ([127.0.0.1]) by localhost (mx1.enertiatech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58688-10; Tue, 24 May 2005 14:28:01 -0600 (MDT) Received: from [10.0.0.34] (h10-0-0-34.enertiasoft.com [10.0.0.34]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.enertiatech.com (Postfix) with ESMTP id 8077562D5; Tue, 24 May 2005 14:28:01 -0600 (MDT) In-Reply-To: <0E1A6107-FB85-4D9F-9873-7E5FBE8EB4C5@mac.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> <0E1A6107-FB85-4D9F-9873-7E5FBE8EB4C5@mac.com> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <33C31ADD-A2A0-47FC-968D-267278F63F89@enertiasoft.com> Content-Transfer-Encoding: 7bit From: Stephane Raimbault Date: Tue, 24 May 2005 14:28:58 -0600 To: Charles Swiger X-Mailer: Apple Mail (2.730) X-Virus-Scanned: amavisd-new at enertiasoft.com Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 20:29:19 -0000 On 24-May-05, at 2:12 PM, Charles Swiger wrote: > On May 24, 2005, at 2:25 PM, Stephane Raimbault wrote: > >>> I hate to ask something silly, but you do have a check-state rule >>> somewhere, right? >>> >>> >> it's not silly..., what's silly is now I'm asking how would I >> check :) or what would the rule look like. >> > > You've have an "ipfw add check-state" rule somewhere. > > >>> The rules you've added permit traffic in both directions, which >>> shouldn't be needed unless the stateful matching wasn't working >>> right. Anyway, you don't need to use stateful rules if you >>> permit traffic in both ways, but the possible tradeoff is making >>> the systems more accessible to scanning and some DoS attacks >>> using forged traffic. >>> >>> Not using keep-state with UDP is quite reasonable, but you might >>> consider adding a "keep-state" with your TCP rules for port 53. >>> You should also be aware that your nameservers will want to make >>> outbound connections using TCP themselves sometimes.... >>> >> >> you've actually kinda answered the other question I neglected to >> ask... which is, would I really need the keep-state, since it >> seemed to work without it being there when I did my testing >> earlier today. Regarding adding keep-state to my tcp rule... >> would this not do the same thing... ? am I confused... or is it >> just insecure of doing it this way: >> >> # Allow TCP through if setup succeeded >> ${fwcmd} add pass tcp from any to any established >> > > Stateful matching of connections can be more secure than passing > any traffic which is established, but that depends on the other > rules which are being used. However, the IPFW manpage has a good > description of this: > > The typical use of dynamic rules is to keep a closed firewall > configura- > tion, but let the first TCP SYN packet from the inside network > install a > dynamic rule for the flow so that packets belonging to that > session will > be allowed through the firewall: > > ipfw add check-state > ipfw add allow tcp from my-subnet to any setup keep-state > ipfw add deny tcp from any to any > That's very interesting and makes sense. I do not have the check- state in there, and just specify each port that is open, I'm guessing I did not run into this problem with anything else, as dns is a very stateful type of protocol? Would this be hand with an FTP server, right now I just tell the ftp server to use specific passive ports, and open up the firewall to allow connections on there. Would I be able to elmininate that with simply setting up check-state and also having keep-state at the end of the tcp allow rules ? Thanks, Stephane. > -- > -Chuck > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Tue May 24 21:10:18 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D20316A41C for ; Tue, 24 May 2005 21:10:18 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 214BE43D49 for ; Tue, 24 May 2005 21:10:16 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (Xserve/8.12.11/smtpout08/MantshX 4.0) with ESMTP id j4OLACg9014083; Tue, 24 May 2005 14:10:13 -0700 (PDT) Received: from [192.168.1.6] (pool-68-161-53-96.ny325.east.verizon.net [68.161.53.96]) (authenticated bits=0) by mac.com (Xserve/smtpin01/MantshX 4.0) with ESMTP id j4OLAAxQ000335; Tue, 24 May 2005 14:10:11 -0700 (PDT) In-Reply-To: <33C31ADD-A2A0-47FC-968D-267278F63F89@enertiasoft.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> <0E1A6107-FB85-4D9F-9873-7E5FBE8EB4C5@mac.com> <33C31ADD-A2A0-47FC-968D-267278F63F89@enertiasoft.com> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <78A9BEFC-DAB7-4140-91A1-4EC0EF1D9E11@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 24 May 2005 17:10:10 -0400 To: Stephane Raimbault X-Mailer: Apple Mail (2.730) Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 21:10:18 -0000 On May 24, 2005, at 4:28 PM, Stephane Raimbault wrote: > That's very interesting and makes sense. I do not have the check- > state in there, and just specify each port that is open, I'm > guessing I did not run into this problem with anything else, as dns > is a very stateful type of protocol? DNS is more complicated than simple UDP-only protocols, sure. If you have DNS problems, lots of other stuff won't work so well, either. > Would this be hand with an FTP server, right now I just tell the > ftp server to use specific ^^^^ "hard"? > passive ports, and open up the firewall to allow connections on > there. Would I be able to elmininate that with simply setting up > check-state and also having keep-state at the end of the tcp allow > rules ? Active mode FTP is another hard case to deal with, but most clients and servers support passive-mode FTP now, which works better over a firewall or NAT situation. If no check-state rule is specified, IPFW uses a fallback where it supposedly looks for keep-state rules or limit rules, instead. But yes, if you are going to use keep-state rules, you should have a check-state rule, too. Only, it's better to put that rule sooner rather than later, to reduce the amount of work the firewall has to do for established connections. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Wed May 25 11:59:35 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB2D716A41F for ; Wed, 25 May 2005 11:59:35 +0000 (GMT) (envelope-from thewolfro@yahoo.com) Received: from web32906.mail.mud.yahoo.com (web32906.mail.mud.yahoo.com [68.142.206.53]) by mx1.FreeBSD.org (Postfix) with SMTP id E3CCB43D53 for ; Wed, 25 May 2005 11:59:34 +0000 (GMT) (envelope-from thewolfro@yahoo.com) Received: (qmail 68742 invoked by uid 60001); 25 May 2005 11:59:34 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=kCSxAH8jaaKtN1uo4NydCskJFk1BGKFX00rQIzQLekMfLXKyV8yqvNJ0d5k1pgoLoEElC5+o4wEoGIBN1GhC6JQHICI6dTdobEGvG41DDKocupFkBZ4AHmKVr1uvmYBDR4bLx+lRb+ybGPAaE7QU5z4M9HzNgsycKToOdBVcT2Y= ; Message-ID: <20050525115934.68740.qmail@web32906.mail.mud.yahoo.com> Received: from [217.156.51.2] by web32906.mail.mud.yahoo.com via HTTP; Wed, 25 May 2005 04:59:34 PDT Date: Wed, 25 May 2005 04:59:34 -0700 (PDT) From: george roman To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: NAT question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2005 11:59:35 -0000 hi, i have a small privat network and i do not want to give internet acces to all the users in the network. for nat, i use comand ipfw add divert natd all from any to any via fxp0 what would be the comand with whom i can restrict acces only to certain ip addresses ? i tried this command ipfw add divert natd all from 192.168.1.1/32 to any via fxp0 to give access to internet only to the 192.168.1.1 ip but it didn't work can you help me? __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new Resources site http://smallbusiness.yahoo.com/resources/ From owner-freebsd-ipfw@FreeBSD.ORG Wed May 25 12:11:25 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B82C16A41C for ; Wed, 25 May 2005 12:11:25 +0000 (GMT) (envelope-from tw@wsf.at) Received: from viefep20-int.chello.at (viefep12-int.chello.at [213.46.255.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABD2643D49 for ; Wed, 25 May 2005 12:11:23 +0000 (GMT) (envelope-from tw@wsf.at) Received: from [10.1.1.156] (really [84.112.100.252]) by viefep20-int.chello.at (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20050525121121.PPHP29474.viefep20-int.chello.at@[10.1.1.156]>; Wed, 25 May 2005 14:11:21 +0200 Message-ID: <42946C20.4070805@wsf.at> Date: Wed, 25 May 2005 14:14:24 +0200 From: Thomas Wolf User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050510) X-Accept-Language: en-us, en MIME-Version: 1.0 To: george roman References: <20050525115934.68740.qmail@web32906.mail.mud.yahoo.com> In-Reply-To: <20050525115934.68740.qmail@web32906.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: NAT question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2005 12:11:25 -0000 george roman wrote: > hi, > i have a small privat network and i do not want to > give internet acces to all the users in the network. > for nat, i use comand > > ipfw add divert natd all from any to any via fxp0 > > what would be the comand with whom i can restrict > acces only to certain ip addresses ? > > i tried this command > ipfw add divert natd all from 192.168.1.1/32 to any > via fxp0 > > to give access to internet only to the 192.168.1.1 ip > but it didn't work Yes, you are preventing incoming traffic from being nat'ed. Try using two rules instead: ipfw add divert natd all from any to any in recv fxp0 ipfw add divert natd all from 192.168.1.1/32 to any out xmit fxp0 Thomas From owner-freebsd-ipfw@FreeBSD.ORG Wed May 25 14:40:29 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05F5916A41C for ; Wed, 25 May 2005 14:40:29 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 604F043D1F for ; Wed, 25 May 2005 14:40:25 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3B868.dip.t-dialin.net [84.163.184.104] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwpI-1Dawxz00Dg-0006e6; Wed, 25 May 2005 16:34:39 +0200 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Wed, 25 May 2005 16:34:23 +0200 User-Agent: KMail/1.8 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3147247.EOBnkcBnR9"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200505251634.34478.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: [PATCH] ipv4 only rules (test and feedback) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2005 14:40:29 -0000 --nextPart3147247.EOBnkcBnR9 Content-Type: multipart/mixed; boundary="Boundary-01=_wzIlCq5E0qbcCzR" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_wzIlCq5E0qbcCzR Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, with the recent merge of IPv6 functionality into ipfw2, ip6fw is obsolete. = As=20 the latter is neither locked nor using the pfil_hooks API, it was decided=20 that it should be be removed. Of course, this means that ipfw2 has to=20 provide all the functionality that ip6fw provided before. In order to achieve this, there is one feature missing [for all I know, ple= ase=20 scream now if you have anything else]: IPv4 only rules. Previously, it was= =20 possible to do: ipfw add 100 deny all from any to any to block all IPv4 traffic. With IPv6 incooperated into ipfw2 this does no= =20 longer work as it will block IPv6 traffic as well. With the patch attached= =20 you can now do: =20 ipfw add 100 deny ipv4 from any to any or ipfw add 100 deny ipv6 from any to any to block IPv4 or IPv6. If you are running a IPv6/IPv4 host/gateway/firewall on current, please tes= t=20 the patch and send you feedback. Be sure to have kernel and userland in=20 sync! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_wzIlCq5E0qbcCzR Content-Type: text/x-diff; charset="us-ascii"; name="ipv4-only.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipv4-only.patch" Index: sbin/ipfw/ipfw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.74 diff -u -r1.74 ipfw2.c =2D-- sbin/ipfw/ipfw2.c 21 May 2005 03:27:33 -0000 1.74 +++ sbin/ipfw/ipfw2.c 24 May 2005 19:19:30 -0000 @@ -275,6 +275,8 @@ TOK_EXT6HDR, TOK_DSTIP6, TOK_SRCIP6, + + TOK_IPV4, }; =20 struct _s_x dummynet_params[] =3D { @@ -395,6 +397,8 @@ { "flow-id", TOK_FLOWID}, { "ipv6", TOK_IPV6}, { "ip6", TOK_IPV6}, + { "ipv4", TOK_IPV4}, + { "ip4", TOK_IPV4}, { "dst-ipv6", TOK_DSTIP6}, { "dst-ip6", TOK_DSTIP6}, { "src-ipv6", TOK_SRCIP6}, @@ -1260,6 +1264,7 @@ #define HAVE_DSTIP 0x0004 #define HAVE_MAC 0x0008 #define HAVE_MACTYPE 0x0010 +#define HAVE_PROTO4 0x0040 #define HAVE_PROTO6 0x0080 #define HAVE_OPTIONS 0x8000 =20 @@ -1283,11 +1288,14 @@ return; } if ( !(*flags & HAVE_OPTIONS)) { =2D /* XXX BED: !(*flags & HAVE_PROTO) in patch */ =2D if ( !(*flags & HAVE_PROTO6) && (want & HAVE_PROTO6)) =2D printf(" ipv6"); if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO)) =2D printf(" ip"); + if ( (*flags & HAVE_PROTO4)) + printf(" ip4"); + else if ( (*flags & HAVE_PROTO6)) + printf(" ip6"); + else + printf(" ip"); + if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP)) printf(" from any"); if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP)) @@ -1468,9 +1476,23 @@ /* * then print the body. */ + for (l =3D rule->act_ofs, cmd =3D rule->cmd ; + l > 0 ; l -=3D F_LEN(cmd) , cmd +=3D F_LEN(cmd)) { + if ((cmd->len & F_OR) || (cmd->len & F_NOT)) + continue; + if (cmd->opcode =3D=3D O_IP4) { + flags |=3D HAVE_PROTO4; + break; + } else if (cmd->opcode =3D=3D O_IP6) { + flags |=3D HAVE_PROTO6; + break; + } =09 + } if (rule->_pad & 1) { /* empty rules before options */ =2D if (!do_compact) =2D printf(" ip from any to any"); + if (!do_compact) { + show_prerequisites(&flags, HAVE_PROTO, 0); + printf(" from any to any"); + } flags |=3D HAVE_IP | HAVE_OPTIONS; } =20 @@ -1611,6 +1633,12 @@ break; =20 default: /*options ... */ + if (!(cmd->len & (F_OR|F_NOT))) + if (((cmd->opcode =3D=3D O_IP6) && + (flags & HAVE_PROTO6)) || + ((cmd->opcode =3D=3D O_IP4) && + (flags & HAVE_PROTO4))) + break; show_prerequisites(&flags, HAVE_IP | HAVE_OPTIONS, 0); if ((cmd->len & F_OR) && !or_block) printf(" {"); @@ -1810,10 +1838,14 @@ } break; =20 =2D case O_IP6: =20 + case O_IP6: printf(" ipv6"); break; =20 + case O_IP4: + printf(" ipv4"); + break; + case O_ICMP6TYPE: print_icmp6types((ipfw_insn_u32 *)cmd); break; @@ -3506,13 +3538,18 @@ *proto =3D IPPROTO_IP; =20 if (_substrcmp(av, "all") =3D=3D 0) =2D ; /* same as "ip" */ =2D else if ((*proto =3D atoi(av)) > 0) + ; /* do not set O_IP4 nor O_IP6 */ + else if (strcmp(av, "ipv4") =3D=3D 0 || strcmp(av, "ip4") =3D=3D 0) + /* explicit "just IPv4" rule */ + fill_cmd(cmd, O_IP4, 0, 0); + else if (strcmp(av, "ipv6") =3D=3D 0 || strcmp(av, "ip6") =3D=3D 0) { + /* explicit "just IPv6" rule */ + *proto =3D IPPROTO_IPV6; + fill_cmd(cmd, O_IP6, 0, 0); + } else if ((*proto =3D atoi(av)) > 0) ; /* all done! */ else if ((pe =3D getprotobyname(av)) !=3D NULL) *proto =3D pe->p_proto; =2D else if (strcmp(av, "ipv6") =3D=3D 0 || strcmp(av, "ip6") =3D=3D 0) =2D *proto =3D IPPROTO_IPV6; else return NULL; if (*proto !=3D IPPROTO_IP && *proto !=3D IPPROTO_IPV6) @@ -4347,8 +4384,6 @@ case TOK_PROTO: NEED1("missing protocol"); if (add_proto(cmd, *av, &proto)) { =2D if (proto =3D=3D IPPROTO_IPV6) =2D fill_cmd(cmd, O_IP6, 0, 0); ac--; av++; } else errx(EX_DATAERR, "invalid protocol ``%s''", @@ -4435,6 +4470,10 @@ fill_cmd(cmd, O_IP6, 0, 0); break; =20 + case TOK_IPV4: + fill_cmd(cmd, O_IP4, 0, 0); + break; + case TOK_EXT6HDR: fill_ext6hdr( cmd, *av ); ac--; av++; Index: sys/netinet/ip_fw.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.99 diff -u -r1.99 ip_fw.h =2D-- sys/netinet/ip_fw.h 4 May 2005 13:12:52 -0000 1.99 +++ sys/netinet/ip_fw.h 19 May 2005 00:30:39 -0000 @@ -153,6 +153,8 @@ O_NETGRAPH, /* send to ng_ipfw */ O_NGTEE, /* copy to ng_ipfw */ =20 + O_IP4, + O_LAST_OPCODE /* not an opcode! */ }; =20 Index: sys/netinet/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.97 diff -u -r1.97 ip_fw2.c =2D-- sys/netinet/ip_fw2.c 4 May 2005 13:12:52 -0000 1.97 +++ sys/netinet/ip_fw2.c 19 May 2005 00:32:55 -0000 @@ -1961,6 +1961,7 @@ int is_ipv6 =3D 0; u_int16_t ext_hd =3D 0; /* bits vector for extension header filtering */ /* end of ipv6 variables */ + int is_ipv4 =3D 0; =20 if (m->m_flags & M_SKIP_FIREWALL) return (IP_FW_PASS); /* accept */ @@ -2071,6 +2072,7 @@ } else if (pktlen >=3D sizeof(struct ip) && (args->eh =3D=3D NULL || ntohs(args->eh->ether_type) =3D=3D ETHERTYPE= _IP) && mtod(m, struct ip *)->ip_v =3D=3D 4) { + is_ipv4 =3D 1; ip =3D mtod(m, struct ip *); hlen =3D ip->ip_hl << 2; args->f_id.addr_type =3D 4; @@ -2672,6 +2674,10 @@ break; #endif =20 + case O_IP4: + match =3D is_ipv4; + break; + /* * The second set of opcodes represents 'actions', * i.e. the terminal part of a rule once the packet @@ -3317,6 +3323,7 @@ case O_IP6_DST_ME: case O_EXT_HDR: case O_IP6: + case O_IP4: if (cmdlen !=3D F_INSN_SIZE(ipfw_insn)) goto bad_size; break; --Boundary-01=_wzIlCq5E0qbcCzR-- --nextPart3147247.EOBnkcBnR9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBClIz6XyyEoT62BG0RAinwAJ9nZ+7c4Qpfmm4v4yRdoftvOk6zzgCfTsFw vDu6vg1BrhGhrnWO1uJxV3s= =kNwn -----END PGP SIGNATURE----- --nextPart3147247.EOBnkcBnR9-- From owner-freebsd-ipfw@FreeBSD.ORG Thu May 26 11:50:45 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A53D16A421 for ; Thu, 26 May 2005 11:50:45 +0000 (GMT) (envelope-from richardtector@thekeelecentre.com) Received: from mx0.thekeelecentre.com (mx0.thekeelecentre.com [217.206.238.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17D4743D1F for ; Thu, 26 May 2005 11:50:44 +0000 (GMT) (envelope-from richardtector@thekeelecentre.com) Received: from av.mx0.thekeelecentre.com (av.mx0.thekeelecentre.com [217.206.238.166]) by mx0.thekeelecentre.com (Postfix) with ESMTP id 66DAD418C; Thu, 26 May 2005 12:22:03 +0100 (BST) Received: from mx0.thekeelecentre.com ([217.206.238.167]) by av.mx0.thekeelecentre.com (av.mx0.thekeelecentre.com [217.206.238.166]) (amavisd-new, port 10024) with ESMTP id 24305-06; Thu, 26 May 2005 12:22:03 +0100 (BST) Received: from [217.206.238.190] (host-190.thekeelecentre.com [217.206.238.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx0.thekeelecentre.com (Postfix) with ESMTP id 1580F4099; Thu, 26 May 2005 12:21:52 +0100 (BST) Message-ID: <4295B14B.2010302@thekeelecentre.com> Date: Thu, 26 May 2005 12:21:47 +0100 From: Richard Tector User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-gb, en MIME-Version: 1.0 To: Max Laier References: <200505251634.34478.max@love2party.net> In-Reply-To: <200505251634.34478.max@love2party.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mx0.thekeelecentre.com Cc: freebsd-ipfw@freebsd.org Subject: Re: [PATCH] ipv4 only rules (test and feedback) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2005 11:50:45 -0000 Max Laier wrote: >With the patch attached you can now do: > > ipfw add 100 deny ipv4 from any to any >or > ipfw add 100 deny ipv6 from any to any > >to block IPv4 or IPv6. > > How would you, for example, deny all udp traffic over ipv4 but not ipv6? Is this possible with ipfw2 as it stands? Kind regards, Richard Tector CAPL Limited From owner-freebsd-ipfw@FreeBSD.ORG Wed May 25 23:17:21 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B32E16A41C for ; Wed, 25 May 2005 23:17:21 +0000 (GMT) (envelope-from mdonada@slchapeco.org) Received: from smtp207.mail.sc5.yahoo.com (smtp207.mail.sc5.yahoo.com [216.136.129.97]) by mx1.FreeBSD.org (Postfix) with SMTP id 1537843D4C for ; Wed, 25 May 2005 23:17:20 +0000 (GMT) (envelope-from mdonada@slchapeco.org) Received: (qmail 69396 invoked from network); 25 May 2005 23:17:19 -0000 Received: from unknown (HELO emperor) (marcio?donada@201.11.82.160 with login) by smtp207.mail.sc5.yahoo.com with SMTP; 25 May 2005 23:17:18 -0000 Message-ID: <005101c56180$07e78a10$ac01010a@emperor> From: =?iso-8859-1?Q?M=E1rcio_Luciano_Donada?= To: References: <20050525115934.68740.qmail@web32906.mail.mud.yahoo.com> <42946C20.4070805@wsf.at> Date: Wed, 25 May 2005 20:18:14 -0300 Organization: Cooperativa Central Oeste Catarinense LTDA MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Antivirus: avast! (VPS 0521-2, 25/05/2005), Outbound message X-Antivirus-Status: Clean X-Mailman-Approved-At: Thu, 26 May 2005 13:42:42 +0000 Subject: Re: NAT question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?iso-8859-1?Q?M=E1rcio_Luciano_Donada?= List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2005 23:17:21 -0000 Good Night A'm using natd and ipfw: #NATD ${fwcmd} add divert 8668 ip from 192.168.1.0/24 to not 192.168.1.0/24 ${fwcmd} add divert 8668 ip from not 192.168.1.0/24 to 200.1.2.3 []'s Mαrcio > george roman wrote: > > hi, > > i have a small privat network and i do not want to > > give internet acces to all the users in the network. > > for nat, i use comand > > > > ipfw add divert natd all from any to any via fxp0 > > > > what would be the comand with whom i can restrict > > acces only to certain ip addresses ? > > > > i tried this command > > ipfw add divert natd all from 192.168.1.1/32 to any > > via fxp0 > > > > to give access to internet only to the 192.168.1.1 ip > > but it didn't work > > Yes, you are preventing incoming traffic from being nat'ed. > > Try using two rules instead: > > ipfw add divert natd all from any to any in recv fxp0 > ipfw add divert natd all from 192.168.1.1/32 to any out xmit fxp0 > > Thomas > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > ____________________________________________________ Yahoo! Mail, cada vez melhor: agora com 1GB de espaηo grαtis! http://mail.yahoo.com.br From owner-freebsd-ipfw@FreeBSD.ORG Fri May 27 17:33:12 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D3B716A41C for ; Fri, 27 May 2005 17:33:12 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6FDF43D1D for ; Fri, 27 May 2005 17:33:07 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3B641.dip.t-dialin.net [84.163.182.65] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1Dbiha0Duj-0003eD; Fri, 27 May 2005 19:32:54 +0200 From: Max Laier To: Richard Tector Date: Fri, 27 May 2005 19:32:42 +0200 User-Agent: KMail/1.8 References: <200505251634.34478.max@love2party.net> <4295B14B.2010302@thekeelecentre.com> In-Reply-To: <4295B14B.2010302@thekeelecentre.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1897485.zv0pCGQFg7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200505271932.51562.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-ipfw@freebsd.org Subject: Re: [PATCH] ipv4 only rules (test and feedback) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 May 2005 17:33:12 -0000 --nextPart1897485.zv0pCGQFg7 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 26 May 2005 13:21, Richard Tector wrote: > Max Laier wrote: > >With the patch attached you can now do: > > > > ipfw add 100 deny ipv4 from any to any > >or > > ipfw add 100 deny ipv6 from any to any > > > >to block IPv4 or IPv6. > > How would you, for example, deny all udp traffic over ipv4 but not ipv6? > Is this possible with ipfw2 as it stands? ipfw add 100 deny ipv4 from any to any proto udp should do the trick, but unfortunately this comes back as: 100 deny udp from any to any so I have to fix ipfw show for these cases. Thanks for bringing this up. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1897485.zv0pCGQFg7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCl1nDXyyEoT62BG0RAmwqAJ92beSc5yn4C9NtpWiC3apez3bvcQCcCQta UUWU87uAJZnTYz3hxFxpjwk= =YRwt -----END PGP SIGNATURE----- --nextPart1897485.zv0pCGQFg7-- From owner-freebsd-ipfw@FreeBSD.ORG Fri May 27 19:03:47 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B389216A41C for ; Fri, 27 May 2005 19:03:47 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8739643D1D for ; Fri, 27 May 2005 19:03:47 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j4RJ3kUp004580; Fri, 27 May 2005 12:03:46 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j4RJ3gKQ004579; Fri, 27 May 2005 12:03:42 -0700 (PDT) (envelope-from rizzo) Date: Fri, 27 May 2005 12:03:42 -0700 From: Luigi Rizzo To: Max Laier Message-ID: <20050527120342.A4538@xorpc.icir.org> References: <200505251634.34478.max@love2party.net> <4295B14B.2010302@thekeelecentre.com> <200505271932.51562.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200505271932.51562.max@love2party.net>; from max@love2party.net on Fri, May 27, 2005 at 07:32:42PM +0200 Cc: freebsd-ipfw@freebsd.org, Richard Tector Subject: Re: [PATCH] ipv4 only rules (test and feedback) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 May 2005 19:03:47 -0000 remember that ipfw2 lets you pass only those options you need so something like ipfw add deny proto udp ipv4 should work On Fri, May 27, 2005 at 07:32:42PM +0200, Max Laier wrote: > On Thursday 26 May 2005 13:21, Richard Tector wrote: > > Max Laier wrote: > > >With the patch attached you can now do: > > > > > > ipfw add 100 deny ipv4 from any to any > > >or > > > ipfw add 100 deny ipv6 from any to any > > > > > >to block IPv4 or IPv6. > > > > How would you, for example, deny all udp traffic over ipv4 but not ipv6? > > Is this possible with ipfw2 as it stands? > > ipfw add 100 deny ipv4 from any to any proto udp > > should do the trick, but unfortunately this comes back as: > > 100 deny udp from any to any > > so I have to fix ipfw show for these cases. Thanks for bringing this up. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-ipfw@FreeBSD.ORG Sat May 28 18:19:20 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8476416A41C for ; Sat, 28 May 2005 18:19:20 +0000 (GMT) (envelope-from sid@merlin.com.ua) Received: from merlin.com.ua (Merlin.Com.UA [195.66.196.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 227A843D1D for ; Sat, 28 May 2005 18:19:19 +0000 (GMT) (envelope-from sid@merlin.com.ua) Received: from H55_2.homeinet.loc (localhost [127.0.0.1]) by merlin.com.ua (Postmaster) with ESMTP id D5E0833C024 for ; Sat, 28 May 2005 20:40:18 +0300 (EEST) Date: Sat, 28 May 2005 21:18:41 -0700 From: sid@merlin.com.ua X-Mailer: The Bat! (v3.0) Professional X-Priority: 3 (Normal) Message-ID: <1193652258.20050528211841@merlin.com.ua> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: home ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sid@merlin.com.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2005 18:19:20 -0000 hi, im justmarried boy, and i ask my father, how to make best relation with my wife ? his answer is... ipfw add allow ip from wife to me ipfw add allow ip from me to wife ipfw add prob 0.2 allow tcp from girlfriends talk to wife talk ipfw add reset tcp from girlfriends talk to wife talk ipfw add allow tcp from wife to { coworkers or girlfriends } talk,handshake,email,icq ipfw add allow tcp from { coworkers or girlfriends } to wife talk,handshake,email,icq ipfw add allow tcp from father talk to me talk ipfw add allow tcp from me talk to father talk ipfw add prob 0.2 allow tcp from me 6-11 to girlfriends ipfw add prob 0.2 allow tcp from girlfriends to me 6-11 ipfw add reset log ip from wife to any ipfw add reset log ip from any to wife what does it mean ? sid@merlin