From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 24 01:02:40 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFD4616A41F for ; Sun, 24 Jul 2005 01:02:40 +0000 (GMT) (envelope-from lists@jnielsen.net) Received: from ns1.jnielsen.net (ns1.jnielsen.net [69.55.238.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E36343D46 for ; Sun, 24 Jul 2005 01:02:38 +0000 (GMT) (envelope-from lists@jnielsen.net) Received: from stealth.local (pcp09741457pcs.goosck01.sc.comcast.net [69.241.83.8]) (authenticated bits=0) by ns1.jnielsen.net (8.12.9p2/8.12.9) with ESMTP id j6O12bMP004045; Sat, 23 Jul 2005 18:02:37 -0700 (PDT) (envelope-from lists@jnielsen.net) From: John Nielsen To: freebsd-ipfw@freebsd.org, vladone Date: Sat, 23 Jul 2005 21:02:16 -0400 User-Agent: KMail/1.8.1 References: <1287099147.20050723221715@spaingsm.com> <177514506.20050724002537@spaingsm.com> In-Reply-To: <177514506.20050724002537@spaingsm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200507232102.16907.lists@jnielsen.net> X-Virus-Scanned: ClamAV 0.85.1/989/Fri Jul 22 14:27:30 2005 on ns1.jnielsen.net X-Virus-Status: Clean Cc: Subject: Re: Re[2]: divert to multiple public's IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jul 2005 01:02:40 -0000 On Saturday 23 July 2005 05:25 pm, vladone wrote: > If i understand corectly with redirect_address i can forward an given > public ip (commonly an alias on pubic interface) to an internal ip > (private). I dont know if this is good for what i want. > More exactly description for what i want: > My private network is: 192.168.0.0/24 > I have (example) public ip: 1.1.1.1, 1.1.1.6 and 1.1.1.9 > I want: > ip's: 192.168.0.1-20 out(tranlated) with 1.1.1.1 > ip's: 192.168.0.21-30 out with 1.1.1.6 > and so. If you wanted a one-to-one mapping between public and private IP's, then you could use redirect_address. For what you describe above, though, the best approach may be to run multiple instances of natd and split up the traffic with ipfw. Sample setup-- In /etc/services: natd 8668 natd2 8669 natd3 8670 In a natd script (I don't think the rc scripts support multiple instances of natd): natd -a 1.1.1.1 -p natd natd -a 1.1.1.6 -p natd2 natd -a 1.1.1.9 -p natd3 And in an ipfw script: add divert natd3 all from 192.168.0.31,192.168.0.32,192.168.0.33 to any \ via ${external_interface} add skipto 10000 all from 192.168.0.31,192.168.0.32,192.168.0.33 to any \ add divert natd2 all from 192.168.0.21,192.168.0.22,192.168.0.23 to any \ via ${external_interface} add skipto 10000 all from 192.168.0.21,192.168.0.22,192.168.0.23 to any \ via ${external_interface} add divert natd all from any to any via ${external_interface} add 10000 allow all from any to any via lo0 ... So you'd give a name to each divert port you want to use in /etc/services (8668 is already there), run an instance of natd for each external alias, and use comma-separated lists of IP addresses and skipto's in ipfw to direct the traffic appropriately. Notice that I made the last one a default rather than specifying its addresses explicitly. Depending on your needs you may want to do something similar. JN From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 24 17:33:52 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2CA316A41F for ; Sun, 24 Jul 2005 17:33:52 +0000 (GMT) (envelope-from lists@jnielsen.net) Received: from ns1.jnielsen.net (ns1.jnielsen.net [69.55.238.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E8E343D45 for ; Sun, 24 Jul 2005 17:33:50 +0000 (GMT) (envelope-from lists@jnielsen.net) Received: from stealth.local (pcp09741457pcs.goosck01.sc.comcast.net [69.241.83.8]) (authenticated bits=0) by ns1.jnielsen.net (8.12.9p2/8.12.9) with ESMTP id j6OHXmMP090360; Sun, 24 Jul 2005 10:33:49 -0700 (PDT) (envelope-from lists@jnielsen.net) From: John Nielsen To: freebsd-ipfw@freebsd.org Date: Sun, 24 Jul 2005 13:33:25 -0400 User-Agent: KMail/1.8.1 References: <1287099147.20050723221715@spaingsm.com> <177514506.20050724002537@spaingsm.com> <200507232102.16907.lists@jnielsen.net> In-Reply-To: <200507232102.16907.lists@jnielsen.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200507241333.25647.lists@jnielsen.net> X-Virus-Scanned: ClamAV 0.85.1/989/Fri Jul 22 14:27:30 2005 on ns1.jnielsen.net X-Virus-Status: Clean Cc: vladone Subject: Re: Re[2]: divert to multiple public's IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jul 2005 17:33:52 -0000 On Saturday 23 July 2005 09:02 pm, John Nielsen wrote: > On Saturday 23 July 2005 05:25 pm, vladone wrote: > > If i understand corectly with redirect_address i can forward an given > > public ip (commonly an alias on pubic interface) to an internal ip > > (private). I dont know if this is good for what i want. > > More exactly description for what i want: > > My private network is: 192.168.0.0/24 > > I have (example) public ip: 1.1.1.1, 1.1.1.6 and 1.1.1.9 > > I want: > > ip's: 192.168.0.1-20 out(tranlated) with 1.1.1.1 > > ip's: 192.168.0.21-30 out with 1.1.1.6 > > and so. > > If you wanted a one-to-one mapping between public and private IP's, then > you could use redirect_address. For what you describe above, though, the > best approach may be to run multiple instances of natd and split up the > traffic with ipfw. > > Sample setup-- > > In /etc/services: > natd 8668 > natd2 8669 > natd3 8670 > > In a natd script (I don't think the rc scripts support multiple instances > of natd): > natd -a 1.1.1.1 -p natd > natd -a 1.1.1.6 -p natd2 > natd -a 1.1.1.9 -p natd3 > > And in an ipfw script: > add divert natd3 all from 192.168.0.31,192.168.0.32,192.168.0.33 to any \ > via ${external_interface} > add skipto 10000 all from 192.168.0.31,192.168.0.32,192.168.0.33 to any \ > add divert natd2 all from 192.168.0.21,192.168.0.22,192.168.0.23 to any \ > via ${external_interface} > add skipto 10000 all from 192.168.0.21,192.168.0.22,192.168.0.23 to any \ > via ${external_interface} > add divert natd all from any to any via ${external_interface} > add 10000 allow all from any to any via lo0 > ... > > So you'd give a name to each divert port you want to use in /etc/services > (8668 is already there), run an instance of natd for each external alias, > and use comma-separated lists of IP addresses and skipto's in ipfw to > direct the traffic appropriately. Notice that I made the last one a > default rather than specifying its addresses explicitly. Depending on > your needs you may want to do something similar. On Sunday 24 July 2005 02:11 am, vladone wrote: > Thanks John. This is what i want, and work :) > Thanks again!!! It occured to me you may also need rules for the other direction, a la: add divert natd3 all from any to 1.1.1.9 via ${extarnal_interface} Can someone correct me if I'm wrong? JN From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 25 11:02:12 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90F6616A421 for ; Mon, 25 Jul 2005 11:02:12 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 616E243D49 for ; Mon, 25 Jul 2005 11:02:12 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6PB2CkL018402 for ; Mon, 25 Jul 2005 11:02:12 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6PB2BJk018396 for freebsd-ipfw@freebsd.org; Mon, 25 Jul 2005 11:02:11 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 25 Jul 2005 11:02:11 GMT Message-Id: <200507251102.j6PB2BJk018396@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 11:02:12 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw [patch] Add setnexthop and defaultroute f 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 25 11:02:49 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F308216A451 for ; Mon, 25 Jul 2005 11:02:48 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68EFB43D45 for ; Mon, 25 Jul 2005 11:02:48 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6PB2mRs018948 for ; Mon, 25 Jul 2005 11:02:48 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6PB2lP9018942 for ipfw@freebsd.org; Mon, 25 Jul 2005 11:02:47 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 25 Jul 2005 11:02:47 GMT Message-Id: <200507251102.j6PB2lP9018942@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 11:02:49 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 27 04:00:45 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB0C716A425 for ; Wed, 27 Jul 2005 04:00:45 +0000 (GMT) (envelope-from freebsd@wcubed.net) Received: from mail.datausa.com (mail.datausa.com [216.150.220.134]) by mx1.FreeBSD.org (Postfix) with SMTP id 4833F43EF1 for ; Wed, 27 Jul 2005 03:40:43 +0000 (GMT) (envelope-from freebsd@wcubed.net) Received: (qmail 91764 invoked from network); 27 Jul 2005 03:32:39 -0000 Received: from web.datausa.com (HELO webmail.wcubed.net) (216.150.220.132) by mail.datausa.com with SMTP; 27 Jul 2005 03:32:39 -0000 Received: from 67.176.75.179 (SquirrelMail authenticated user freebsd@wcubed.net) by webmail.wcubed.net with HTTP; Tue, 26 Jul 2005 21:40:18 -0600 (MDT) Message-ID: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net> Date: Tue, 26 Jul 2005 21:40:18 -0600 (MDT) From: "Brad Waite" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: IPFW + dummynet to lower NNTP traffic priority X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 04:00:46 -0000 I've been working on a way to keep my outbound NNTP traffic from interfering with all other traffic. After reading the ipfw(8) man page and several other resources (including Luigi Rizzo's page), I thought I had it down: ### Outbound ipfw pipe 1 config bw 0K ipfw queue 1 config weight 1 pipe 1 ipfw queue 2 config weight 100 pipe 1 ipfw add 1000 queue 1 all from any to any out dst-port 119 via fxp0 ipfw add 1001 queue 2 all from any to any out via fxp0 ### Inbound ipfw pipe 2 config bw 0K ipfw queue 3 config weight 1 pipe 2 ipfw queue 4 config weight 100 pipe 2 ipfw add 1000 queue 3 all from [NNTP server IP] to any in via fxp0 ipfw add 1001 queue 4 all from any to any in via fxp0 My thinking here is that both queues (in each direction) will share all available bandwidth, but any traffic heading out on port 119 or returning from the news serverwill be superseded by all other traffic. If there's no other traffic, NNTP will be able to use all available bandwidth. It would appear I'm not grasping the concepts. Can anyone tell me what I'm doing wrong? Thanks, Brad Waite From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 27 09:43:57 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5D7A16A41F for ; Wed, 27 Jul 2005 09:43:57 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA11E43D45 for ; Wed, 27 Jul 2005 09:43:57 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j6R9hvsf022624; Wed, 27 Jul 2005 02:43:57 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j6R9hvrN022623; Wed, 27 Jul 2005 02:43:57 -0700 (PDT) (envelope-from rizzo) Date: Wed, 27 Jul 2005 02:43:57 -0700 From: Luigi Rizzo To: Brad Waite Message-ID: <20050727024357.A22601@xorpc.icir.org> References: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net>; from freebsd@wcubed.net on Tue, Jul 26, 2005 at 09:40:18PM -0600 Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW + dummynet to lower NNTP traffic priority X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 09:43:58 -0000 you must put a non-zero bandwidth on the pipe otherwise there is no scheduling (0 means infinite bandwidth). Also these are weights not priorities - even if one of the queues has a very low weight it will still get some bandwidth proportional to its weight. cheers luigi On Tue, Jul 26, 2005 at 09:40:18PM -0600, Brad Waite wrote: > I've been working on a way to keep my outbound NNTP traffic from > interfering with all other traffic. After reading the ipfw(8) man page > and several other resources (including Luigi Rizzo's page), I thought I > had it down: > > ### Outbound > ipfw pipe 1 config bw 0K > ipfw queue 1 config weight 1 pipe 1 > ipfw queue 2 config weight 100 pipe 1 > ipfw add 1000 queue 1 all from any to any out dst-port 119 via fxp0 > ipfw add 1001 queue 2 all from any to any out via fxp0 > > ### Inbound > ipfw pipe 2 config bw 0K > ipfw queue 3 config weight 1 pipe 2 > ipfw queue 4 config weight 100 pipe 2 > ipfw add 1000 queue 3 all from [NNTP server IP] to any in via fxp0 > ipfw add 1001 queue 4 all from any to any in via fxp0 > > My thinking here is that both queues (in each direction) will share all > available bandwidth, but any traffic heading out on port 119 or returning > from the news serverwill be superseded by all other traffic. If there's > no other traffic, NNTP will be able to use all available bandwidth. > > It would appear I'm not grasping the concepts. Can anyone tell me what > I'm doing wrong? > > Thanks, > > Brad Waite > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 27 09:47:56 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5B5716A41F for ; Wed, 27 Jul 2005 09:47:56 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 310B843D45 for ; Wed, 27 Jul 2005 09:47:56 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-2.free.fr (Postfix) with ESMTP id 35295C0DA; Wed, 27 Jul 2005 11:47:55 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id DEDFD405B; Wed, 27 Jul 2005 11:48:19 +0200 (CEST) Date: Wed, 27 Jul 2005 11:48:19 +0200 From: Jeremie Le Hen To: Brad Waite Message-ID: <20050727094819.GR1610@obiwan.tataz.chchile.org> References: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW + dummynet to lower NNTP traffic priority X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 09:47:56 -0000 Hi Brad, On Tue, Jul 26, 2005 at 09:40:18PM -0600, Brad Waite wrote: > I've been working on a way to keep my outbound NNTP traffic from > interfering with all other traffic. After reading the ipfw(8) man page > and several other resources (including Luigi Rizzo's page), I thought I > had it down: > > ### Outbound > ipfw pipe 1 config bw 0K > ipfw queue 1 config weight 1 pipe 1 > ipfw queue 2 config weight 100 pipe 1 > ipfw add 1000 queue 1 all from any to any out dst-port 119 via fxp0 > ipfw add 1001 queue 2 all from any to any out via fxp0 > > ### Inbound > ipfw pipe 2 config bw 0K > ipfw queue 3 config weight 1 pipe 2 > ipfw queue 4 config weight 100 pipe 2 > ipfw add 1000 queue 3 all from [NNTP server IP] to any in via fxp0 > ipfw add 1001 queue 4 all from any to any in via fxp0 The rule number are the same for outbound and inbound path, this is an error I think. I'm not sure about the behaviour of setting the pipe bandwidth to 0K (further more "K" is not valid in ipfw syntax, and it's very picky about this, even the case is important IIRC). You should also be careful if net.inet.ip.fw.one_pass is set to 0, you will have to use skipto rules. I advice you to use (values are fictive) : ipfw pipe 1 config bw 123KBytes/s ipfw queue 100 config weight 1 pipe 1 ipfw queue 101 config weight 100 pipe 1 ipfw add 100 queue 100 all from any to any out dst-port 119 via fxp0 ipfw add 101 queue 101 all from any to any out via fxp0 ipfw pipe 2 config bw 321KBytes/s ipfw queue 200 config weight 1 pipe 2 ipfw queue 201 config weight 100 pipe 2 ipfw add 200 queue 200 all from [NNTP server IP] to any in via fxp0 ipfw add 201 queue 201 all from any to any via fxp0 > My thinking here is that both queues (in each direction) will share all > available bandwidth, but any traffic heading out on port 119 or returning > from the news serverwill be superseded by all other traffic. If there's > no other traffic, NNTP will be able to use all available bandwidth. Note that if you want to use the whole _interface_ bandwidth (100MBits/s), you can use something like : ipfw pipe 1 config bw fxp0 > It would appear I'm not grasping the concepts. Can anyone tell me what > I'm doing wrong? Nothing really wrong, except the pipe bandwidth. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 28 16:59:48 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA6AF16A41F for ; Thu, 28 Jul 2005 16:59:48 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F5B943D48 for ; Thu, 28 Jul 2005 16:59:47 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (ajchob@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j6SGxkJo059614 for ; Thu, 28 Jul 2005 18:59:46 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j6SGxkXx059613; Thu, 28 Jul 2005 18:59:46 +0200 (CEST) (envelope-from olli) Date: Thu, 28 Jul 2005 18:59:46 +0200 (CEST) Message-Id: <200507281659.j6SGxkXx059613@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Another bug in IPFW@ ...? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 16:59:48 -0000 Hi, I have created an IPFW2 rule set on a router (no NAT). In one of the rules I wanted to pass packets originating from the local host (i.e. non-routed) out through a specific interface, i.e. packets that have _not_ been received on some interface. The manual page ipfw(8) says that "recv any" matches all packets received on some interface, so the logical conclusion is that "not recv any" would match packets originating from the host. However, this clause is ignored completely: # ipfw add pass ip from $A to $N out not recv any xmit xl0 00900 allow ip from $A to $N out xmit xl0 As you can see, the "not recv any" is ignored. It doesn't show up in subsequent "ipfw list" output either. Is this a bug in ipfw? Or is the documentation inaccurate? How do I match packets like this that originate from the local host, i.e. that don't have a receive interface? (Note that the source IP might be spoofed, so only checking the source IP is not a solution.) Best regards Oliver PS: This is probably not important, but anyway: $A is the local IP address of the xl0 interface, and $N is the network connected to that interface, exluding $A. For example: $A = 101.102.103.1 $N = 101.102.103.0/27{2-30} PPS: I read the mailing list, so please do not Cc me. -- Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "anyone new to programming should be kept as far from C++ as possible; actually showing the stuff should be considered a criminal offence" -- Jacek Generowicz From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 30 00:52:06 2005 Return-Path: X-Original-To: ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A91116A420; Sat, 30 Jul 2005 00:52:06 +0000 (GMT) (envelope-from kris@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4520843D45; Sat, 30 Jul 2005 00:52:06 +0000 (GMT) (envelope-from kris@FreeBSD.org) Received: from freefall.freebsd.org (kris@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6U0q5II094117; Sat, 30 Jul 2005 00:52:05 GMT (envelope-from kris@freefall.freebsd.org) Received: (from kris@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6U0q5jX094113; Sat, 30 Jul 2005 00:52:05 GMT (envelope-from kris) Date: Sat, 30 Jul 2005 00:52:05 GMT From: Kris Kennaway Message-Id: <200507300052.j6U0q5jX094113@freefall.freebsd.org> To: co0lkizz@btinternet.com, kris@FreeBSD.org, ipfw@FreeBSD.org Cc: Subject: Re: kern/64694: [ipfw] UID/GID matching in ipfw non-functional X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2005 00:52:06 -0000 Synopsis: [ipfw] UID/GID matching in ipfw non-functional State-Changed-From-To: feedback->closed State-Changed-By: kris State-Changed-When: Sat Jul 30 00:51:58 GMT 2005 State-Changed-Why: Feedback timeout http://www.freebsd.org/cgi/query-pr.cgi?pr=64694