From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 00:38:45 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BE6216A420 for ; Mon, 2 Jan 2006 00:38:45 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id F24A543D53 for ; Mon, 2 Jan 2006 00:38:43 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wproxy.gmail.com with SMTP id i14so1959253wra for ; Sun, 01 Jan 2006 16:38:43 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=GOMp0RNW2Fdk4QGv1g32uANmahz94NkoWVFVDOU8g4fLenZkRbpCuTU98pszVRjsOUi0uHMqsPiYJxEnigdPOIZhZIRfmVv3Gbs+BG+p3CQ2UQlO4PQYADvEV0TGcd93eDSJH29W7OSa807V7d/i9oR/qEdcnk9FyW92hkAfwSU= Received: by 10.54.119.11 with SMTP id r11mr532290wrc; Sun, 01 Jan 2006 16:38:43 -0800 (PST) Received: from ?195.16.87.34? ( [195.16.87.34]) by mx.gmail.com with ESMTP id 13sm24584783wrl.2006.01.01.16.38.41; Sun, 01 Jan 2006 16:38:42 -0800 (PST) Message-ID: <43B875FD.6000102@gmail.com> Date: Sun, 01 Jan 2006 18:38:21 -0600 From: Dennis Olvany User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051129) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.93.0.0 OpenPGP: id=D71A85AB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 00:38:45 -0000 Let's say that I wanted to balance upstream traffic across four WAN links to the same ISP and default gateway using IPFW probabilities. Can the FreeBSD routing table contain multiple routes to the same destination? How would a route be selected and could such a selection be influenced by IPFW? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 06:44:08 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF34E16A41F for ; Mon, 2 Jan 2006 06:44:08 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CAF643D48 for ; Mon, 2 Jan 2006 06:44:08 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 3ADAC748E; Mon, 2 Jan 2006 07:26:28 +0100 (CET) Received: from (165.146.229.241 [165.146.229.241]) by MailEnable Inbound Mail Agent with ESMTP; Mon, 02 Jan 2006 07:52:36 +0100 Message-ID: <43B8CC58.9020906@roamingsolutions.net> Date: Mon, 02 Jan 2006 08:46:48 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dennis Olvany References: <43B875FD.6000102@gmail.com> In-Reply-To: <43B875FD.6000102@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0552-4, 2005/12/30), Outbound message X-Antivirus-Status: Clean Cc: freebsd-ipfw@freebsd.org Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 06:44:09 -0000 Dennis Olvany wrote: >Let's say that I wanted to balance upstream traffic across four WAN >links to the same ISP and default gateway using IPFW probabilities. > >Can the FreeBSD routing table contain multiple routes to the same >destination? > >How would a route be selected and could such a selection be influenced >by IPFW? >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > It is possible to do load sharing, but not balancing in the true sense of the word. You need to use ipfw's FWD rule to forward (push) packets to the different gateways of the 4 WAN links, but it get's a bit more complicated from there. You now also need to keep-state on each of the sessions, and will have to check-state of all established outgoing packets to send them out the same WAN link as the rest of that sessions packets. If you are NATting first, then you will have to divert via each of the natd's and then check-state. It's a dirty solution, but I have a working system with 2 WAN links. You can also use IPFW set's to manage the percentage splits betweeen the links. (or for failover). Another solution would be to have a second FreeBSD box at the ISP and use ng_one2many on both sides to distribute the network traffic over the 4 WAN links. Regards, Graham From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 07:24:24 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BCA116A41F for ; Mon, 2 Jan 2006 07:24:24 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id D558343D49 for ; Mon, 2 Jan 2006 07:24:23 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wproxy.gmail.com with SMTP id i14so1994024wra for ; Sun, 01 Jan 2006 23:24:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=mbXDJ7qw9wlVnJQzoeDYCjtZfcWLgcI6VAhvvqD3gSNKJ3Cs1c6r08eHVuiTd+8rOYsOpEJSQJlpwd6m/95xWvEajbB7kcNaNqUMCg91Rg/4WmRwwOHLtqaHEnB1L7Jci5Q6cMtoKiiDUZYQ2ZaKfdQabFyTxgaqnpcjgyUzBZo= Received: by 10.54.60.10 with SMTP id i10mr78499wra; Sun, 01 Jan 2006 23:24:23 -0800 (PST) Received: from ?195.16.87.34? ( [195.16.87.34]) by mx.gmail.com with ESMTP id 33sm14106764wra.2006.01.01.23.24.21; Sun, 01 Jan 2006 23:24:22 -0800 (PST) Message-ID: <43B8D510.2010908@gmail.com> Date: Mon, 02 Jan 2006 01:24:00 -0600 From: Dennis Olvany User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051129) X-Accept-Language: en-us, en MIME-Version: 1.0 To: G Bryant References: <43B875FD.6000102@gmail.com> <43B8CC58.9020906@roamingsolutions.net> In-Reply-To: <43B8CC58.9020906@roamingsolutions.net> X-Enigmail-Version: 0.93.0.0 OpenPGP: id=D71A85AB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 07:24:24 -0000 > It is possible to do load sharing, but not balancing in the true > sense of the word. You need to use ipfw's FWD rule to forward (push) > packets to the different gateways of the 4 WAN links, but it get's a > bit more complicated from there. To do this using forwarding to four different gateways is simple enough, but I'm not sure what results to expect by doing this to the same gateway over four different links. I know of no way to influence the decision and I am not sure how the routing algorithm would decide to handle this situation. > You now also need to keep-state on each of the sessions, and will > have to check-state of all established outgoing packets to send them > out the same WAN link as the rest of that sessions packets. I understand the importance of source-based routing with respect to transit, but I'm a bit unclear on how dynamic rules relate to forwarding. As long as all packets arrive at the destination and are properly addressed, the host should not care how they got there. I'm not sure if I know what you mean by session. I can't imagine an IPFW ruleset that would provide stateful routing. > It's a dirty solution, but I have a working system with 2 WAN links. > You can also use IPFW set's to manage the percentage splits betweeen > the links. (or for failover). Would you mind sharing your ipfw ruleset (ipfw list)? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 09:13:06 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1822F16A41F for ; Mon, 2 Jan 2006 09:13:06 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id B160643D5E for ; Mon, 2 Jan 2006 09:13:04 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id D18607600A; Mon, 2 Jan 2006 09:55:24 +0100 (CET) Received: from (165.146.229.241 [165.146.229.241]) by MailEnable Inbound Mail Agent with ESMTP; Mon, 02 Jan 2006 10:21:25 +0100 Message-ID: <43B8EF40.7020508@roamingsolutions.net> Date: Mon, 02 Jan 2006 11:15:44 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dennis Olvany , freebsd-ipfw@freebsd.org References: <43B875FD.6000102@gmail.com> <43B8CC58.9020906@roamingsolutions.net> <43B8D510.2010908@gmail.com> In-Reply-To: <43B8D510.2010908@gmail.com> Content-Type: multipart/mixed; boundary="------------060604070009010508060108" X-Antivirus: avast! (VPS 0552-4, 2005/12/30), Outbound message X-Antivirus-Status: Clean X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 09:13:06 -0000 This is a multi-part message in MIME format. --------------060604070009010508060108 Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Dennis Olvany wrote: It is possible to do load sharing, but not balancing in the true sense of the word. You need to use ipfw's FWD rule to forward (push) packets to the different gateways of the 4 WAN links, but it get's a bit more complicated from there. To do this using forwarding to four different gateways is simple enough, but I'm not sure what results to expect by doing this to the same gateway over four different links. I know of no way to influence the decision and I am not sure how the routing algorithm would decide to handle this situation. You now also need to keep-state on each of the sessions, and will have to check-state of all established outgoing packets to send them out the same WAN link as the rest of that sessions packets. I understand the importance of source-based routing with respect to transit, but I'm a bit unclear on how dynamic rules relate to forwarding. As long as all packets arrive at the destination and are properly addressed, the host should not care how they got there. I'm not sure if I know what you mean by session. I can't imagine an IPFW ruleset that would provide stateful routing. It's a dirty solution, but I have a working system with 2 WAN links. You can also use IPFW set's to manage the percentage splits betweeen the links. (or for failover). Would you mind sharing your ipfw ruleset (ipfw list)? My setup has 2 different external IP's with different gateway's. With the different external IP's, the destination host will reject packets coming from the "wrong" IP as they will not match the current TCP session. I also have web, ftp, email and vpn servers hosted on the inside which complicates matters. There's also a proxy server and bandwidth management for outgoing connections. What does your setup look like? --------------060604070009010508060108 Content-Type: text/plain; name="ipfw.ruleset" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw.ruleset" #!/bin/sh ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush ipfw -q add 10 allow tcp from any to me 22 in ipfw -q add 12 allow tcp from me 22 to any out # Set rules command prefix cmd="ipfw -q add" bwm="ipfw -q pipe" skip="skipto 8000" ext_if1="rl0" # public interface name of NIC ext_if2="rl0" int_if="vr0" # private interface name of NIC ext_ip1="196.yy.yy.yy" ext_ip2="196.xx.xx.xx" ext_gw1="196.yy.yy.1" ext_gw2="196.xx.xx.1" lan="192.168.1.0/24" # Setup the different Sets to be used for different connection options ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 # Initially only enable set 1 (and 2 and 12 when we have 2 WAN links) ipfw -q set enable 1 2 5 10 # Specify which ip addresses get what bandwidth # Can also tell this dhcp server to give certain addresses to selected mac # addresses in file /usr/local/etc/dhcpd.conf u512k="192.168.10.2" # Users given 512kb/s link u256k="192.168.1.0/24{2-254}" # Users given 256kb/s link u128k="192.168.10.2" # Users given 128kb/s link u64k="192.168.10.2" # Users given 64kb/s link (default from dhcp) ################################################################# # Check and drop packets that are appearing to come from # the destination LAN i.e. a spoofed source ip address $cmd 100 deny ip from any to any not antispoof in ################################################################# # No restrictions on Loopback Interface # Protect spoofing to localhost $cmd allow ip from any to any via lo0 $cmd deny ip from any to 127.0.0.0/8 $cmd deny ip from 127.0.0.0/8 to any ################################################################ # Divert incoming http and ftp traffic to the proxy (squid and jftpgw) $cmd set 5 fwd 192.168.1.1,3128 tcp from $lan to any 80 in via $int_if #$cmd fwd 192.168.1.1,2370 tcp from $lan to any 21 via $int_if ################################################################# # Allow the rest of the LAN traffic in and out $cmd allow ip from any to any via $int_if ################################################################# # Incoming traffic from internet - jump to incoming section $cmd skipto 4000 ip from any to me in ################################################################ ############## Bandwidth Management ############################ # Setup up pipes for each of the user groups # Users with 512Kb / 256Kb access (out) $cmd pipe 11 ip from $u512k to any out via $ext_if1 $bwm 11 config mask src-ip 0x000000ff bw 256Kbit/s queue 3KBytes # Users with 256Kb / 128Kb access $cmd pipe 21 ip from $u256k to any out via $ext_if1 $bwm 21 config mask src-ip 0x000000ff bw 128Kbit/s queue 3KBytes # Users with 128Kb / 64Kb access $cmd pipe 31 ip from $u128k to any out via $ext_if1 $bwm 31 config mask src-ip 0x000000ff bw 64Kbit/s queue 3KBytes # Users with 64Kb / 56Kb access $cmd pipe 41 ip from $u64k to any out via $ext_if1 $bwm 41 config mask src-ip 0x000000ff bw 56Kbit/s queue 12KBytes ################################################################# # Interface facing Public Internet (Outbound Section) ################################################################# #Deny outgoing windows connections $cmd deny tcp from $lan to any 137,445 out $cmd deny tcp from $lan 137,445 to any out # Allow out access to my ISP's Domain name server. # Get the IP addresses from /etc/resolv.conf file #$cmd $skip UDP from any to { 196.7.0.138 or 196.28.86.2 or 196.28.86.3 or 196.25.1.1 } 53 out $cmd $skip udp from any to any 53 out # Allow this box out access to my ISP's DHCP server (or adsl router) # to get it's network configuration settings (IP, DNS, etc). $cmd $skip udp from me to any 67 out # Allow skype connections out # Allow ntp time server out $cmd $skip UDP from any to any 80,443,123,1024-65535 out $cmd $skip UDP from any 80,443,1024-65535 to any out $cmd $skip tcp from any 1024-65535 to any 1024-65535 out # Allow me to reach local routers from this box (tunneled via ssh) $cmd allow tcp from me to 192.168.0.0/16 80 out # Allow out www, ftp from me or from proxy out $cmd $skip tcp from me to any 20,21,80 out # Natting because of the 2 outgoing lines # Allow out secure www function https over TLS SSL # Allow out send & get email function (GMail uses ports 587, 995) # Allow out MSN messenger # Allow out Time, nntp news (i.e. news groups), # SSH (secure FTP, Telnet, and SCP), whois $cmd $skip tcp from any to any 443,25,110,587,995,1863,6891-6901,37,119,22,43 out # Allow out regular ftp access (not via proxy) $cmd $skip tcp from any to any 20,21,80 out # Allow out ping $cmd $skip icmp from $lan to any out icmptypes 3,8 $cmd allow icmp from me to any out icmptypes 3,8 $cmd allow icmp from me to 192.168.0.0/16 out # Allow external ssh connection back out $cmd $skip tcp from me 22 to any out # Allow external web traffic from internal servers back out $cmd $skip tcp from 192.168.1.8,192.168.1.2 80,443 to any out # Allow external mail traffic from internal servers back out $cmd $skip tcp from 192.168.1.3 25,110 to any out # Allow external ftp, vpn connection traffic from internal servers back out $cmd $skip tcp from 192.168.1.9 20,21,1723 to any out $cmd $skip gre from 192.168.1.9 to any out # Allow external remote desktop back out $cmd $skip tcp from 192.168.1.2 3389 to any out # temp allow 137 #$cmd $skip ip from any to any 137 out #$cmd $skip ip from any 137 to any out # Allow out FreeBSD (make install & CVSUP) functions # Give user root "GOD" privileges. $cmd allow ip from me to any out uid root # Deny the rest out $cmd deny log ip from any to any out ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # check if packet is inbound and nat address if it is # Double-nat traffic for incoming connections to determine which WAN connection # it is coming from so as to send it out the same WAN link. $cmd 4000 divert natd1 ip from any to $ext_ip1 80,443,20,21,25,110,3389 in $cmd 4000 divert natd2 ip from any to $ext_ip2 80,443,20,21,25,110,3389 in $cmd 4100 divert natd1 ip from any to $ext_ip1 in $cmd 4100 divert natd2 ip from any to $ext_ip2 in $cmd 4150 set 6 count log gre from any to any in $cmd 4160 set 6 count log ip from any to any 1723 in ################################################################ ############## Bandwidth Management ############################ # Users with 512Kb / 256Kb access (in) $cmd 4200 pipe 10 ip from any to $u512k in via $ext_if1 $bwm 10 config mask dst-ip 0x000000ff bw 512Kbit/s queue 4KBytes # Users with 256Kb / 128Kb access $cmd pipe 20 ip from any to $u256k in via $ext_if1 $bwm 20 config mask dst-ip 0x000000ff bw 256Kbit/s queue 4KBytes # Users with 128Kb / 64Kb access $cmd pipe 30 ip from any to $u128k in via $ext_if1 $bwm 30 config mask dst-ip 0x000000ff bw 128Kbit/s queue 4KBytes # Users with 64Kb / 56Kb access $cmd pipe 40 ip from any to $u64k in via $ext_if1 $bwm 40 config mask dst-ip 0x000000ff bw 64Kbit/s queue 14KBytes # Deny all inbound traffic from non-routable reserved address spaces #$cmd 300 deny all from 192.168.0.0/16 to any in via $ext_if1 #RFC 1918 private IP $cmd deny all from 172.16.0.0/12,10.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 to any in #RFC 1918 private IP #RFC 1918 private IP #DHCP auto-config #reserved for docs #Sun cluster #Class D & E multicast # Deny RIP (Router protocol) packets $cmd deny udp from any to any 520 in # Deny ident # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd deny all from any to any 113,137,138,139,81 in #$cmd deny all from any to any 113,138,139,81 in #$cmd allow all from any to any 137 in #$cmd allow all from any 137 to any in # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. $cmd allow udp from $ext_gw1,$ext_gw2 to any 68,1900,5678 in # Allow dns lookups back in $cmd allow udp from any 53,67 to $lan in $cmd allow udp from any 53,67 to me in # Allow skype connections in $cmd allow udp from any 80,123,443,1024-655353 to $lan in $cmd allow udp from any to $lan 80,443,1024-655353 in $cmd deny log udp from any to any in # Deny the rest $cmd allow tcp from any 1024-65535 to $lan 1024-65535 in # Allow in standard www function because I have Apache server - or is there an internal webserver? # Allow Webmin connections from close-by $cmd allow tcp from { 192.168.8.0/24 or 192.168.0.0/24 } to me 10000,80 in #$cmd allow tcp from any to 192.168.1.8,192.168.1.9,192.168.1.2 80,443 in # Allow outgoing ftp, web traffic (via proxy) back in $cmd allow tcp from any 80 to me in # Allow in regular ftp, http access if proxy is off $cmd allow tcp from any 20,21,80 to $lan in # Allow in secure www function https over TLS SSL # Allow in send & get email function (GMail uses ports 587, 995) # Allow in MSN messenger # Allow in Time, nntp news (i.e. news groups), # SSH (secure FTP, Telnet, and SCP), whois $cmd allow tcp from any 443,25,110,587,995,1863,6891-6901,37,119,22,43 to any in # Allow external web traffic in to internal servers $cmd allow tcp from any to 192.168.1.8,192.168.1.2 80,443 in # Allow external mail traffic in to internal servers $cmd allow tcp from any to 192.168.1.3 25,110 in # Allow external ftp, vpn connection traffic in to internal servers $cmd allow tcp from any to 192.168.1.9 20,21,1723 in $cmd allow gre from any to 192.168.1.9 in # Allow in secure FTP, Telnet, and SCP from public Internet $cmd allow tcp from { 192.168.0.0/24 or $lan or 192.168.8.0/24 } to me 22 in setup limit src-addr 3 $cmd allow tcp from any to me 22 in setup limit src-addr 2 # Deny the rest to me $cmd deny log tcp from any to me in #Allow in ICMP (ping) from public networks close by only. $cmd allow icmp from 196.7.0.138,196.25.1.1,196.4.160.7 to me in icmptypes 0,3,11 $cmd allow icmp from any to $lan in icmptypes 0,3,11 $cmd allow icmp from any to me in icmptypes 0,3,11 $cmd allow icmp from 192.168.0.0/16 to me in #Deny the rest icmp $cmd deny icmp from any to any in # Reject & Log all unauthorized incoming connections from the public Internet (/var/log/security) $cmd deny log all from any to any in ### ********************************************************* # This is skipto location for outbound (stateful) rules $cmd 8000 skipto 9000 tcp from any to any out setup $cmd 8010 skipto 8900 tcp from 192.168.1.2,192.168.1.3,192.168.1.8,192.168.1.9 20,21,25,80,110,443,1723,3389 to any out $cmd 8020 skipto 8900 udp from 192.168.1.9 1723 to any out $cmd 8030 skipto 9000 udp from any to any out $cmd 8040 skipto 9000 icmp from any to any out $cmd 8050 skipto 8600 tcp from $ext_ip1,$ext_ip2 22 to any out $cmd 8100 tee natd2 ip from any to any out $cmd 8200 skipto 8400 ip from $ext_ip2 to any out $cmd 8300 divert natd1 ip from any to any out $cmd 8400 check-state $cmd 8500 fwd $ext_gw1 gre from $ext_ip1 to any out $cmd 8500 fwd $ext_gw2 gre from $ext_ip2 to any out $cmd 8600 fwd $ext_gw1 tcp from $ext_ip1 22 to any out $cmd 8600 fwd $ext_gw2 tcp from $ext_ip2 22 to any out $cmd 8700 deny ip from any to any out # Reply's from internal servers to external requests $cmd 8900 tee natd1 ip from any 1723 to any out $cmd 8902 skipto 8960 ip from $ext_ip1 1723 to any out $cmd 8904 divert natd2 ip from any 1723 to any out $cmd 8906 skipto 8990 ip from $ext_ip2 1723 to any out $cmd 8910 divert natd1 ip from any to any out $cmd 8920 skipto 8950 ip from $ext_ip1 8025,8011,8086,8087,8020,8021,3390 to any out $cmd 8930 skipto 8980 ip from $ext_ip1 8026,8012,8088,8089,8022,8023,3391 to any out $cmd 8940 deny log ip from any to any out $cmd 8950 divert natd1 ip from any to any out $cmd 8960 fwd $ext_gw1 ip from $ext_ip1 to any out $cmd 8970 deny log ip from any to any out $cmd 8980 divert natd2 ip from any to any out $cmd 8990 fwd $ext_gw2 ip from $ext_ip2 to any out $cmd 8999 deny log ip from any to any out # skipto location for new outgoing connections $cmd 9000 set 10 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 set 10 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 set 10 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 set 10 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 10 skipto 9200 ip from any to any out $cmd 9000 set 12 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 set 12 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 set 12 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 set 12 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 12 prob 0.2 skipto 9500 ip from any to any out $cmd 9000 set 13 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 set 13 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 set 13 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 set 13 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 13 prob 0.3 skipto 9500 ip from any to any out $cmd 9000 set 14 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 set 14 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 set 14 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 set 14 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 14 prob 0.4 skipto 9500 ip from any to any out $cmd 9000 set 15 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 set 15 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 set 15 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 set 15 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 15 prob 0.5 skipto 9500 ip from any to any out $cmd 9000 set 16 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 set 16 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 set 16 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 set 16 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 16 prob 0.6 skipto 9500 ip from any to any out $cmd 9000 set 17 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 set 17 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 set 17 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 set 17 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 17 prob 0.7 skipto 9500 ip from any to any out $cmd 9000 set 18 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 set 18 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 set 18 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 set 18 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 18 prob 0.8 skipto 9500 ip from any to any out $cmd 9000 set 20 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 set 20 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 set 20 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 set 20 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 20 skipto 9500 ip from any to any out # testing diginet line out #$cmd 9000 set 25 skipto 9500 tcp from any to ongers.net out $cmd 9000 set 25 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9200 set 1 divert natd1 ip from any to any out $cmd 9300 set 1 fwd $ext_gw1 ip from any to any out keep-state $cmd 9500 set 2 divert natd2 ip from any to any out $cmd 9600 set 2 fwd $ext_gw2 ip from any to any out keep-state # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 9999 deny log all from any to any ipfw -q delete 10 ipfw -q delete 12 ################ End of IPFW rules file ############################### --------------060604070009010508060108-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 10:59:20 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BB2B16A41F for ; Mon, 2 Jan 2006 10:59:20 +0000 (GMT) (envelope-from budiyt@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD74043D45 for ; Mon, 2 Jan 2006 10:59:19 +0000 (GMT) (envelope-from budiyt@gmail.com) Received: by zproxy.gmail.com with SMTP id 9so2291014nzo for ; Mon, 02 Jan 2006 02:59:19 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=GZcLxyIC/svqAfRZc7u5PYp/ITdQJQliTFjDhjzrjHM1yOKOyLjOQXq9gg0mJWIwhVIki41olvqQCEPz5yqUSGfO20AcHbMFM3HAXGrKcacye9luVAj/F3XMMxEVLYGMhj8HAUuHxXVCQlYI7vqKstZjEnPePyWljBpX/w5VPUs= Received: by 10.36.43.12 with SMTP id q12mr1802055nzq; Mon, 02 Jan 2006 02:59:19 -0800 (PST) Received: by 10.36.90.5 with HTTP; Mon, 2 Jan 2006 02:59:19 -0800 (PST) Message-ID: <4d4dc3640601020259k770175d4l5b07343e185a0b2c@mail.gmail.com> Date: Mon, 2 Jan 2006 17:59:19 +0700 From: budsz To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Need help for dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 10:59:20 -0000 Hi, I hope you give me some advice or explaination about Dummynet. I've googling/experiment for three a month to get the right answer how to use WF2Q+ with Dummynet. I've a small internet cafe and after 4 years using FreeBSD+Dummynet with hardlink limiting policy. Here for WF2Q+ implementation in my internet cafe: In /etc/rc.firewall look like: # IP Address variable ip_cl_01=3D"192.168.0.1/32" ip_cl_10=3D"192.168.0.10/32" ip_cl_11=3D"192.168.0.11/32" ip_cl_12=3D"192.168.0.12/32" ip_cl_13=3D"192.168.0.13/32" ip_cl_14=3D"192.168.0.14/32" ip_cl_50=3D"192.168.0.50/32" # Bandwidth variable bw_share=3D"152Kbit/s" ${fwcmd} add 104 queue 1 ip from ${ip_cl_01} to any via ${eth_1} ${fwcmd} add 105 queue 1 ip from any to ${ip_cl_01} via ${eth_1} ${fwcmd} add 106 queue 2 ip from ${ip_cl_10} to any via ${eth_1} ${fwcmd} add 107 queue 2 ip from any to ${ip_cl_10} via ${eth_1} ${fwcmd} add 108 queue 3 ip from ${ip_cl_11} to any via ${eth_1} ${fwcmd} add 109 queue 3 ip from any to ${ip_cl_11} via ${eth_1} ${fwcmd} add 110 queue 4 ip from ${ip_cl_12} to any via ${eth_1} ${fwcmd} add 111 queue 4 ip from any to ${ip_cl_12} via ${eth_1} ${fwcmd} add 112 queue 5 ip from ${ip_cl_13} to any via ${eth_1} ${fwcmd} add 113 queue 5 ip from any to ${ip_cl_13} via ${eth_1} ${fwcmd} add 114 queue 6 ip from ${ip_cl_14} to any via ${eth_1} ${fwcmd} add 115 queue 6 ip from any to ${ip_cl_14} via ${eth_1} ${fwcmd} add 116 queue 7 ip from ${ip_cl_50} to any via ${eth_1} ${fwcmd} add 117 queue 7 ip from any to ${ip_cl_50} via ${eth_1} ${fwcmd} queue 1 config pipe 3 weight 3 mask all ${fwcmd} queue 2 config pipe 3 weight 3 mask all ${fwcmd} queue 3 config pipe 3 weight 3 mask all ${fwcmd} queue 4 config pipe 3 weight 3 mask all ${fwcmd} queue 5 config pipe 3 weight 3 mask all ${fwcmd} queue 6 config pipe 3 weight 3 mask all ${fwcmd} queue 7 config pipe 3 weight 1 mask all ${fwcmd} pipe 3 config bw ${bw_share} With that rule I want to limit every client (IN/OUT) with ratio: for ex: client-01 =3D> 3/19 * 152 Kbit/s =3D 24 Kbit/s client-10 =3D> 3/19 * 153 Kbit/s =3D 24 Kbit/s etc.. I assume all of my client already active using internet. But sometime "client-11" always get 100 Kbit/s. Does my rule is OK? if not, would you give me example the right rule for this situation, of couse with clarification (step by step). FYI, I use FreeBSD 4.10-RELEASE & FreeBSD 4.11-STABLE. Thanks You. -- budsz From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 11:02:46 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89E4F16A420 for ; Mon, 2 Jan 2006 11:02:46 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2C1943D78 for ; Mon, 2 Jan 2006 11:02:40 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k02B2dd4037540 for ; Mon, 2 Jan 2006 11:02:39 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k02B2bqh037534 for freebsd-ipfw@freebsd.org; Mon, 2 Jan 2006 11:02:37 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 2 Jan 2006 11:02:37 GMT Message-Id: <200601021102.k02B2bqh037534@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 11:02:46 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/03/03] kern/63724 ipfw [ipfw] IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2005/11/08] kern/88664 ipfw [ipfw] ipfw stateful firewalling broken w 9 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/02/01] kern/76971 ipfw [ipfw] ipfw antispoof incorrectly blocks o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple 17 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 12:20:21 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2A0E16A41F for ; Mon, 2 Jan 2006 12:20:21 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0705B43D4C for ; Mon, 2 Jan 2006 12:20:20 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.4/8.13.1) with ESMTP id k02CKKXj067117 for ; Mon, 2 Jan 2006 10:20:20 -0200 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Mon, 2 Jan 2006 10:20:14 -0200 User-Agent: KMail/1.8.3 References: <43B875FD.6000102@gmail.com> <43B8D510.2010908@gmail.com> <43B8EF40.7020508@roamingsolutions.net> In-Reply-To: <43B8EF40.7020508@roamingsolutions.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200601021020.14349.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 12:20:21 -0000 On Monday 02 January 2006 07:15, G Bryant wrote: > # Users with 512Kb / 256Kb access (in) > $cmd 4200 pipe 10 ip from any to $u512k in via $ext_if1 > $bwm 10 config mask dst-ip 0x000000ff bw 512Kbit/s queue 4KBytes > # Users with 256Kb / 128Kb access > $cmd pipe 20 ip from any to $u256k in via $ext_if1 I was wondering how do you pipe rfc1918 on the outside of a natd router for= =20 incoming traffic Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 12:48:18 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 825DE16A41F for ; Mon, 2 Jan 2006 12:48:18 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1C2943D48 for ; Mon, 2 Jan 2006 12:48:17 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id CA06C11026; Mon, 2 Jan 2006 13:30:36 +0100 (CET) Received: from (165.146.229.241 [165.146.229.241]) by MailEnable Inbound Mail Agent with ESMTP; Mon, 02 Jan 2006 13:56:47 +0100 Message-ID: <43B921A9.7070109@roamingsolutions.net> Date: Mon, 02 Jan 2006 14:50:49 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en To: AT Matik References: <43B875FD.6000102@gmail.com> <43B8D510.2010908@gmail.com> <43B8EF40.7020508@roamingsolutions.net> <200601021020.14349.asstec@matik.com.br> In-Reply-To: <200601021020.14349.asstec@matik.com.br> Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0552-4, 2005/12/30), Outbound message X-Antivirus-Status: Clean MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 12:48:18 -0000 AT Matik wrote: On Monday 02 January 2006 07:15, G Bryant wrote: # Users with 512Kb / 256Kb access (in) $cmd 4200 pipe 10 ip from any to $u512k in via $ext_if1 $bwm 10 config mask dst-ip 0x000000ff bw 512Kbit/s queue 4KBytes # Users with 256Kb / 128Kb access $cmd pipe 20 ip from any to $u256k in via $ext_if1 I was wondering how do you pipe rfc1918 on the outside of a natd router for incoming traffic Joćo My external interface is connected to a DSL modem which also nats. Gray From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 13:10:17 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8312B16A41F for ; Mon, 2 Jan 2006 13:10:17 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF5DA43D72 for ; Mon, 2 Jan 2006 13:10:16 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 909CBF008; Mon, 2 Jan 2006 13:52:36 +0100 (CET) Received: from (165.146.229.241 [165.146.229.241]) by MailEnable Inbound Mail Agent with ESMTP; Mon, 02 Jan 2006 14:18:49 +0100 Message-ID: <43B926CC.6080101@roamingsolutions.net> Date: Mon, 02 Jan 2006 15:12:44 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: AT Matik , freebsd-ipfw@freebsd.org References: <43B875FD.6000102@gmail.com> <43B8D510.2010908@gmail.com> <43B8EF40.7020508@roamingsolutions.net> <200601021020.14349.asstec@matik.com.br> <43B921A9.7070109@roamingsolutions.net> In-Reply-To: <43B921A9.7070109@roamingsolutions.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 0552-4, 2005/12/30), Outbound message X-Antivirus-Status: Clean Cc: Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 13:10:17 -0000 AT Matik wrote: >On Monday 02 January 2006 07:15, G Bryant wrote: > > ># Users with 512Kb / 256Kb access (in) >$cmd 4200 pipe 10 ip from any to $u512k in via $ext_if1 >$bwm 10 config mask dst-ip 0x000000ff bw 512Kbit/s queue 4KBytes ># Users with 256Kb / 128Kb access >$cmd pipe 20 ip from any to $u256k in via $ext_if1 > > > >I was wondering how do you pipe rfc1918 on the outside of a natd router for >incoming traffic > >Joćo > > > > > My external interface is connected to a DSL modem which also nats. > Gray >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > Let me explain more clearly: I used the different groups (e.g. $u512k) to split the internal IP range into IP groups that get different bandwidth according to personal preference or whatever. Currently it is not being used as the whole range is being covered by the $u256k group. i.e. I gave everyone 256k bandwidth. So yes - those rules are currently senseless. Gray From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 13:21:59 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A63816A41F for ; Mon, 2 Jan 2006 13:21:59 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3C8643D5E for ; Mon, 2 Jan 2006 13:21:55 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.4/8.13.1) with ESMTP id k02DLtrw070575 for ; Mon, 2 Jan 2006 11:21:55 -0200 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Mon, 2 Jan 2006 11:21:49 -0200 User-Agent: KMail/1.8.3 References: <43B875FD.6000102@gmail.com> <43B921A9.7070109@roamingsolutions.net> <43B926CC.6080101@roamingsolutions.net> In-Reply-To: <43B926CC.6080101@roamingsolutions.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200601021121.49433.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 13:21:59 -0000 On Monday 02 January 2006 11:12, G Bryant wrote: > I used the different groups (e.g. $u512k) to split the internal IP range > into IP groups that get different bandwidth according to personal > preference or whatever. > Currently it is not being used as the whole range is being covered by > the $u256k group. i.e. I gave everyone 256k bandwidth. > So yes - those rules are currently senseless. > none of your bw rules are having any effect because the related IPs do not= =20 exist on you external/outside interface of the server you divert them so any of the internal IP is reperesented by the IP of the= =20 natd IF/address (outside IP) so if you do bw control for inside IPs you must do it on the inside interfa= ce Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 13:37:03 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2E6D16A41F for ; Mon, 2 Jan 2006 13:37:03 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA84F43D49 for ; Mon, 2 Jan 2006 13:37:02 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 4D03E7603B; Mon, 2 Jan 2006 14:19:22 +0100 (CET) Received: from (165.146.229.241 [165.146.229.241]) by MailEnable Inbound Mail Agent with ESMTP; Mon, 02 Jan 2006 14:45:35 +0100 Message-ID: <43B92D07.9010203@roamingsolutions.net> Date: Mon, 02 Jan 2006 15:39:19 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en To: AT Matik , freebsd-ipfw@freebsd.org References: <43B875FD.6000102@gmail.com> <43B921A9.7070109@roamingsolutions.net> <43B926CC.6080101@roamingsolutions.net> <200601021121.49433.asstec@matik.com.br> In-Reply-To: <200601021121.49433.asstec@matik.com.br> Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0552-4, 2005/12/30), Outbound message X-Antivirus-Status: Clean MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 13:37:03 -0000 AT Matik wrote: On Monday 02 January 2006 11:12, G Bryant wrote: I used the different groups (e.g. $u512k) to split the internal IP range into IP groups that get different bandwidth according to personal preference or whatever. Currently it is not being used as the whole range is being covered by the $u256k group. i.e. I gave everyone 256k bandwidth. So yes - those rules are currently senseless. none of your bw rules are having any effect because the related IPs do not exist on you external/outside interface of the server you divert them so any of the internal IP is reperesented by the IP of the natd IF/address (outside IP) so if you do bw control for inside IPs you must do it on the inside interface Joćo Thank you for your input, but this setup is currently working correctly. This is a bit off the original topic though. Do you have any specific questions I can help you with? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 14:33:17 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4316B16A420 for ; Mon, 2 Jan 2006 14:33:17 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 150A543D55 for ; Mon, 2 Jan 2006 14:33:12 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.4/8.13.1) with ESMTP id k02EX9eN074329; Mon, 2 Jan 2006 12:33:09 -0200 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: G Bryant Date: Mon, 2 Jan 2006 12:33:03 -0200 User-Agent: KMail/1.8.3 References: <43B875FD.6000102@gmail.com> <200601021121.49433.asstec@matik.com.br> <43B92D07.9010203@roamingsolutions.net> In-Reply-To: <43B92D07.9010203@roamingsolutions.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200601021233.03377.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on msrv.matik.com.br X-Virus-Status: Clean Cc: freebsd-ipfw@freebsd.org Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 14:33:17 -0000 On Monday 02 January 2006 11:39, G Bryant wrote: > > > > Thank you for your input, but this setup is currently working correctly. how do you do it? with make buildwonderworld? :) > This is a bit off the original topic though. > Do you have any specific questions I can help you with? > your whole ruleset probably does not work, you only get traffic in and out = for=20 other reasons your clients are able to get traffic because you certainly only deny traffi= c=20 from inexistent IPs so first you permit any on the inside interface then you divert then you do not not deny any traffic on the outside for the IP it really co= mes=20 from and skip and skip but do not limit anything else than not existing=20 traffic so probably you get counters then only on your rule 8960 and 8990 Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 18:51:55 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A94416A41F for ; Mon, 2 Jan 2006 18:51:55 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75DA143D81 for ; Mon, 2 Jan 2006 18:51:46 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wproxy.gmail.com with SMTP id i14so2091325wra for ; Mon, 02 Jan 2006 10:51:45 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=o/JtYicnCC3ZJ/UipGwU03jy2km2UVUPQmHVqixyt0PJz5XU16eG2L7rMd4GYVeJtfLCWXKJXtw0zdQHDVuL5rEu/IfGOeQqvs/LPnUlJe3two9y7I6kSx93YKLWEbPeOBEq761CiiJ7QfcotvGR/X4WwBvsF0FJIsSB2RloG2g= Received: by 10.54.151.18 with SMTP id y18mr84624wrd; Mon, 02 Jan 2006 10:49:07 -0800 (PST) Received: from ?195.16.87.34? ( [195.16.87.34]) by mx.gmail.com with ESMTP id 34sm14569336wra.2006.01.02.10.51.42; Mon, 02 Jan 2006 10:51:44 -0800 (PST) Message-ID: <43B97627.5020501@gmail.com> Date: Mon, 02 Jan 2006 12:51:19 -0600 From: Dennis Olvany User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051129) X-Accept-Language: en-us, en MIME-Version: 1.0 To: G Bryant References: <43B875FD.6000102@gmail.com> <43B8CC58.9020906@roamingsolutions.net> <43B8D510.2010908@gmail.com> <43B8EF40.7020508@roamingsolutions.net> In-Reply-To: <43B8EF40.7020508@roamingsolutions.net> X-Enigmail-Version: 0.93.0.0 OpenPGP: id=D71A85AB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 18:51:55 -0000 > What does your setup look like? Don't have a setup, yet. In lieu of such complexity, I may abandon the notion. > ################ Start of IPFW rules file ############################### > ################ End of IPFW rules file ############################### That ruleset is seriously complex and it's especially difficult to decipher in script form. Any idea of the possibility of doing a reverse proxy-only lsnat? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 22:28:41 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F6D816A41F for ; Mon, 2 Jan 2006 22:28:41 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E0A443D91 for ; Mon, 2 Jan 2006 22:28:19 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id C06A251001; Mon, 2 Jan 2006 23:10:36 +0100 (CET) Received: from (165.146.229.241 [165.146.229.241]) by MailEnable Inbound Mail Agent with ESMTP; Mon, 02 Jan 2006 23:36:53 +0100 Message-ID: <43B9A9AB.20001@roamingsolutions.net> Date: Tue, 03 Jan 2006 00:31:07 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dennis Olvany References: <43B875FD.6000102@gmail.com> <43B8CC58.9020906@roamingsolutions.net> <43B8D510.2010908@gmail.com> <43B8EF40.7020508@roamingsolutions.net> <43B97627.5020501@gmail.com> In-Reply-To: <43B97627.5020501@gmail.com> Content-Type: multipart/mixed; boundary="------------050109090305010106090803" X-Antivirus: avast! (VPS 0601-0, 2006/01/02), Outbound message X-Antivirus-Status: Clean X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 22:28:41 -0000 This is a multi-part message in MIME format. --------------050109090305010106090803 Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Dennis Olvany wrote: What does your setup look like? Don't have a setup, yet. In lieu of such complexity, I may abandon the notion. ################ Start of IPFW rules file ############################### ################ End of IPFW rules file ############################### That ruleset is seriously complex and it's especially difficult to decipher in script form. Any idea of the possibility of doing a reverse proxy-only lsnat? Here is a very simple version of the rules with no internal (LAN) servers, no proxy and no bandwidth management. Hope this is more understandable. Regards, Gray --------------050109090305010106090803 Content-Type: text/plain; name="ipfw_simple.ruleset" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw_simple.ruleset" #!/bin/sh ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush ipfw -q add 10 allow tcp from any to me 22 in ipfw -q add 12 allow tcp from me 22 to any out # Set rules command prefix cmd="ipfw -q add" bwm="ipfw -q pipe" skip="skipto 8000" ext_if1="rl0" # public interface name of NIC ext_if2="rl0" int_if="vr0" # private interface name of NIC ext_ip1="196.yy.yy.yy" ext_ip2="196.xx.xx.xx" ext_gw1="196.yy.yy.1" ext_gw2="196.xx.xx.1" lan="192.168.1.0/24" # Setup the different Sets to be used for different connection options ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 # Initially only enable set 1 and 2 and 10 when we have 2 WAN links ipfw -q set enable 1 2 10 ################################################################# # Deny spoofed packets $cmd 100 deny ip from any to any not antispoof in ################################################################# # No restrictions on Loopback Interface # Protect spoofing to localhost $cmd allow ip from any to any via lo0 $cmd deny ip from any to 127.0.0.0/8 $cmd deny ip from 127.0.0.0/8 to any ################################################################ # Allow the rest of the LAN traffic in and out $cmd allow ip from any to any via $int_if ################################################################# # Incoming traffic from internet - jump to incoming section $cmd skipto 4000 ip from any to me in ################################################################# # Interface facing Public Internet (Outbound Section) ################################################################# #Deny outgoing windows connections (and whatever else you want to deny) $cmd deny tcp from $lan to any 137,445 out $cmd deny tcp from $lan 137,445 to any out # Allow the rest out $cmd $skip ip from $lan to any out # Allow connections from me back out $cmd $skip ip from me to any out $cmd deny log ip from any to any out ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # NAT inbound traffic $cmd 4000 divert natd1 ip from any to $ext_ip1 in $cmd 4000 divert natd2 ip from any to $ext_ip2 in # Deny all inbound traffic from non-routable reserved address spaces #$cmd 300 deny all from 192.168.0.0/16 to any in via $ext_if1 #RFC 1918 private IP $cmd deny all from 172.16.0.0/12,10.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 to any in #RFC 1918 private IP #RFC 1918 private IP #DHCP auto-config #reserved for docs #Sun cluster #Class D & E multicast # Deny ident # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd deny all from any to any 113,137,138,139,81 in # Allow the rest of the traffic to the lan in $cmd allow ip from any to $lan in # Allow the rest of the traffic to me in $cmd allow ip from any to me in # Deny the rest to me $cmd deny log ip from any to any in ############################################################### # This is skipto location for outbound (stateful) rules $cmd 8000 skipto 9000 tcp from any to any out setup $cmd 8030 skipto 9000 udp from any to any out $cmd 8040 skipto 9000 icmp from any to any out $cmd 8050 skipto 8600 tcp from $ext_ip1,$ext_ip2 22 to any out $cmd 8100 tee natd2 ip from any to any out $cmd 8200 skipto 8400 ip from $ext_ip2 to any out $cmd 8300 divert natd1 ip from any to any out $cmd 8400 check-state $cmd 8600 fwd $ext_gw1 tcp from $ext_ip1 22 to any out $cmd 8600 fwd $ext_gw2 tcp from $ext_ip2 22 to any out $cmd 8700 deny ip from any to any out # skipto location for new outgoing connections $cmd 9000 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 10 skipto 9200 ip from any to any out $cmd 9000 set 12 prob 0.2 skipto 9500 ip from any to any out $cmd 9000 set 13 prob 0.3 skipto 9500 ip from any to any out $cmd 9000 set 14 prob 0.4 skipto 9500 ip from any to any out $cmd 9000 set 15 prob 0.5 skipto 9500 ip from any to any out $cmd 9000 set 16 prob 0.6 skipto 9500 ip from any to any out $cmd 9000 set 17 prob 0.7 skipto 9500 ip from any to any out $cmd 9000 set 18 prob 0.8 skipto 9500 ip from any to any out $cmd 9000 set 20 skipto 9500 ip from any to any out $cmd 9200 set 1 divert natd1 ip from any to any out $cmd 9300 set 1 fwd $ext_gw1 ip from any to any out keep-state $cmd 9500 set 2 divert natd2 ip from any to any out $cmd 9600 set 2 fwd $ext_gw2 ip from any to any out keep-state # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 9999 deny log all from any to any ipfw -q delete 10 ipfw -q delete 12 ################ End of IPFW rules file ############################### --------------050109090305010106090803-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 3 23:42:29 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F93F16A425 for ; Tue, 3 Jan 2006 23:42:29 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3969043D4C for ; Tue, 3 Jan 2006 23:42:27 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wproxy.gmail.com with SMTP id i31so2432699wra for ; Tue, 03 Jan 2006 15:42:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=m8MhyAvczHFltCQhUL/Uap0UTCUJFattafR0+AdZaxktzu4Mer5cm9l09kSt1hfw0BO34XVebb+BuvpqY6bYzstq/ajFDgHiSDEujDDfjZICHEy4duN6cdDOO0lWtG8UjxdBO7J1zEXJk2fIUPdMPusfU4sl9KOIFav48lYo2h8= Received: by 10.54.72.15 with SMTP id u15mr1857832wra; Tue, 03 Jan 2006 15:42:26 -0800 (PST) Received: from ?192.168.10.2? ( [67.102.60.210]) by mx.gmail.com with ESMTP id 28sm2545102wrl.2006.01.03.15.42.25; Tue, 03 Jan 2006 15:42:26 -0800 (PST) Message-ID: <43BB0BC6.3070409@gmail.com> Date: Tue, 03 Jan 2006 17:41:58 -0600 From: Dennis Olvany User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051129) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.93.0.0 OpenPGP: id=D71A85AB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Client Load Balancing: LSNAT-router using IPFW and NATD on FreeBSD 6.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 23:42:29 -0000 Client Load Balancing: LSNAT-router using IPFW and NATD on FreeBSD 6.0 The Internet gateways must reside in different logical networks for this configuration to work. 1. Compile Custom Kernel options IPFIREWALL options IPFIREWALL_FORWARD options IPDIVERT options IPFIREWALL_FORWARD_EXTENDED 2. Configure System (/etc/rc.conf) firewall_enable="yes" firewall_type="/etc/ipfw.rules" ifconfig_ste0="195.16.87.38/29" ifconfig_ste0_alias0="192.168.102.62/24" ifconfig_fxp0="192.168.10.1/24" defaultrouter="192.168.102.1" gateway_enable="yes" natd_enable="yes" natd_flags="-f /etc/natd.conf" 3. Configure NATD (/etc/natd.conf) instance default alias_address 192.168.102.62 instance other alias_address 195.16.87.38 port 8669 globalport 9000 4. Configure IPFW (/etc/ipfw.rules) -f flush add skipto 20000 ip from any to 192.168.102.62 in via ste0 add skipto 30000 ip from any to 195.16.87.38 in via ste0 add divert 9000 ip from any to any out via ste0 add skipto 40000 ip from { 192.168.102.62 or 195.16.87.38 } to any out via ste0 add prob .5 skipto 20000 ip from any to any out via ste0 add skipto 30000 ip from any to any out via ste0 add skipto 40000 ip from any to any add 20000 divert natd ip from any to any add skipto 40000 ip from any to any add 30000 divert 8669 ip from any to any add skipto 40000 ip from any to any add 40000 check-state add deny ip from 192.168.10.0/24 to any via ste0 add allow ip from me to me via lo0 keep-state add deny ip from me to any in add allow ip from 195.16.87.38 to { me or 195.16.87.32/29 or 192.168.102.0/24 or 192.168.10.0/24 } keep-state add forward 195.16.87.33 ip from 195.16.87.38 to any keep-state add allow ip from me to any keep-state add deny ip from me to any add allow icmp from any to me icmptypes 3,4,8,11 keep-state add deny ip from any to me add allow ip from 192.168.10.0/24 to any keep-state add deny ip from 192.168.10.0/24 to any add allow icmp from any to 192.168.10.0/24 icmptypes 3,4,11 keep-state add deny ip from any to 192.168.10.0/24 From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 7 04:49:57 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50ED516A41F; Sat, 7 Jan 2006 04:49:57 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00A5943D46; Sat, 7 Jan 2006 04:49:56 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k074nukk054621; Sat, 7 Jan 2006 04:49:56 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k074nuJZ054617; Sat, 7 Jan 2006 04:49:56 GMT (envelope-from linimon) Date: Sat, 7 Jan 2006 04:49:56 GMT From: Mark Linimon Message-Id: <200601070449.k074nuJZ054617@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/91245: [patch] ipfw(8) sometimes treat ipv6 input as ipv4 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jan 2006 04:49:57 -0000 Synopsis: [patch] ipfw(8) sometimes treat ipv6 input as ipv4 Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sat Jan 7 04:49:31 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=91245