From owner-freebsd-ipfw@freebsd.org Thu Mar 10 20:29:31 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B111ACBD75 for ; Thu, 10 Mar 2016 20:29:31 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 005A3BC7; Thu, 10 Mar 2016 20:29:30 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u2AKTS91087549 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 10 Mar 2016 12:29:29 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: Don Lewis , freebsd-ipfw@freebsd.org References: <201603091733.u29HX05o011028@gw.catspoiler.org> From: Julian Elischer Message-ID: <56E1D923.6060405@freebsd.org> Date: Thu, 10 Mar 2016 12:29:23 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <201603091733.u29HX05o011028@gw.catspoiler.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 20:29:31 -0000 On 9/03/2016 9:32 AM, Don Lewis wrote: > I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this > patch: , but I'm > running into a problem that I think is caused by an interaction between > in-kernel NAT and dummynet. I've set up two dummynet pipe/sched/queue > instances using example 3.3a from this document > with the > appropriate bandwidths, but otherwise default tunings to shape both > inbound and outbound traffic. My inside network is a /24 and I have an > external /29 (ext/29) network that I don't want to rate limit. My > outside network interface is re0. I'm using the /etc/rc.firewall > "simple" firewall configuration. > > The problem that I'm having crops up when I actually try to add the > firewall rules to select the traffic that I want to rate limit. The > first rule in the list is: > 100 allow ip from any to any via lo0 > The second rule is numbered 200 and is first anti-spoofing rule. If > I add *either* of these two rules, then I'm no longer able to > communicate between hosts on my internal network and the rest of the > world: > > ipfw 110 add queue 1 ip from not ext/29 to any in recv re0 > ipfw 120 add queue 2 ip from any to not ext/29 out xmit re0 > > It seems like the inbound rule should be early in the rule list so that > any inbound traffic that gets dropped by the firewall rules gets counted > even if it is dropped by later rules. It also seems like the outbound > rule needs to be before any allow rules since an allow rule would skip > the remaining rules and would not count that traffic. Unfortunately the > ipfw documentation doesn't really describe the interaction between > dummynet, NAT, and other firewall rules. > > Unfortunately this is a live system, so it is difficult to do controlled > experiments and look at the ipfw counters to see where things might be > going into the weeds ... ok so you need to do what I always tell people.. split your rules into separate incoming and outgoing rule sets. so your first rule should be: skipto 10000 all from any to any in. and have separate sets of rules for incoming and outgoing packets. Then you should always set one_pass to 0 and expect your packets to come back to the firewall at the next number. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >