Date: Mon, 23 May 2005 19:15:54 -0300 From: Carlos Alloatti <calloatti@gmail.com> To: "ovidiue@unixware.ro" <ovidiue@unixware.ro> Cc: freebsd-isp@freebsd.org Subject: Re: best sollution (and also simple) to guarantee a bandwidth (Was: Welcome to the "freebsd-isp" mailing list) Message-ID: <1b6c15ea050523151530909e76@mail.gmail.com> In-Reply-To: <1116865694.4292049e6947e@webmail.unixware.ro> References: <1116855501.4291dccd7125b@webmail.unixware.ro> <NHBBKEEMKJDINKDJBJHGAECEIOAD.john@day-light.com> <1b6c15ea050523090619f8c2f9@mail.gmail.com> <1116865694.4292049e6947e@webmail.unixware.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/23/05, ovidiue@unixware.ro <ovidiue@unixware.ro> wrote: > Citat Carlos Alloatti <calloatti@gmail.com>: >=20 > > I have just done that, I set up FreeBSD with 2 network cards, bridge, > > ipfw and dummynet. It works without a glitch, has been up for 20 days. > > > > Yo have to set up pipes and queues in ipfw rules > > >=20 > How many users you have ? can you send me the config files? >=20 rl0 connects to Internet, rl1 connects to LAN /etc/rc.conf hostname=3D"bridge.local" network_interfaces=3D"rl0 rl1 lo0" ifconfig_rl1=3D"inet xxx.xxx.xxx.xxx netmask 255.255.255.0" defaultrouter=3D"xxx.xxx.xxx.1" #required for ipfw support firewall_enable=3D"YES" firewall_type=3D"/etc/rc.firewall.rules" firewall_quiet=3D"NO" firewall_logging=3D"YES" /etc/resolv.conf domain local nameserver xxx.xxx.xxx.xxx nameserver yyy.yyy.yyy.yyy /etc/hosts 127.0.0.1 localhost.local localhost xxx.xxx.xxx.xxx bridge.local bridge /etc/sysctl.conf net.link.ether.bridge.config=3Drl0:1,rl1:1 net.link.ether.bridge.enable=3D1 # Controls whether bridged packets are passed to ipfw net.link.ether.bridge.ipfw=3D1 # Delta between rule numbers when auto-generating them net.inet.ip.fw.autoinc_step=3D10 # Bridged packets are accepted after the first pass through the firewall=20 # irrespective of the setting of the sysctl variable net.inet.ip.fw.one_pass=3D1 # Lazily delete dynamic pipes/queue once they have no pending traffic net.inet.ip.dummynet.expire=3D1 kern.polling.enable=3D1 net.inet.ip.fw.verbose=3D1 net.inet.ip.fw.verbose_limit=3D5 # The blackhole sysctl(8) MIB is used to control system behaviour when con- # nection requests are received on TCP or UDP ports where there is no # socket listening. net.inet.tcp.blackhole=3D2 net.inet.udp.blackhole=3D1 # /etc/rc.firewall.rules # UPload pipe pipe 1 config bw 128Kbits/s queue 10 gred 0.002/5/15/0.10 # DNload pipe pipe 2 config bw 320Kbits/s queue 15 gred 0.002/5/15/0.10 # 64Kbits pipe pipe 3 config bw 64Kbits/s queue 5 gred 0.002/5/15/0.10 # *** queues *** # Upload queues pipe 1 queue 01101 config weight 50 buckets 128 pipe 1 mask src-ip 0xffffffff queue 10 gred 0.002/5/15/0.10 queue 01102 config weight 30 buckets 128 pipe 1 mask src-ip 0xffffffff queue 10 gred 0.002/5/15/0.10 queue 01103 config weight 15 buckets 128 pipe 1 mask src-ip 0xffffffff queue 5 gred 0.002/5/15/0.10 queue 01104 config weight 04 buckets 128 pipe 1 mask src-ip 0xffffffff queue 5 gred 0.002/5/15/0.10 queue 01199 config weight 01 buckets 128 pipe 1 mask src-ip 0xffffffff queue 5 gred 0.002/5/15/0.10 # Download queues pipe 2 queue 02201 config weight 40 buckets 128 pipe 2 mask dst-ip 0xffffffff queue 10 gred 0.002/5/15/0.10 queue 02202 config weight 35 buckets 128 pipe 2 mask dst-ip 0xffffffff queue 10 gred 0.002/5/15/0.10 queue 02203 config weight 20 buckets 128 pipe 2 mask dst-ip 0xffffffff queue 5 gred 0.002/5/15/0.10 queue 02299 config weight 05 buckets 128 pipe 2 mask dst-ip 0xffffffff queue 5 gred 0.002/5/15/0.10 # 64Kbits queues pipe 3 queue 03101 config weight 10 buckets 128 pipe 3 mask src-ip 0xffffffff queue 5 gred 0.002/5/15/0.10 queue 03201 config weight 90 buckets 128 pipe 3 mask dst-ip 0xffffffff queue 5 gred 0.002/5/15/0.10 # *** firewall *** # loopback add 01000 pass all from any to any via lo0 add 01010 deny all from any to 127.0.0.0/8 add 01020 deny ip from 127.0.0.0/8 to any # Disabled IP addresses #add 00011 deny ip from xxx.xxx.xxx.xxx to any # Deny ip inbound traffic from non-routable reserved address spaces add 02000 deny ip from 192.168.0.0/16 to any // RFC 1918 private IP add 02010 deny ip from 172.16.0.0/12 to any // RFC 1918 private IP add 02020 deny ip from 10.0.0.0/8 to any // RFC 1918 private IP add 02030 deny ip from 0.0.0.0/8 to any // loopback add 02040 deny ip from 169.254.0.0/16 to any // DHCP auto-config add 02050 deny ip from 192.0.2.0/24 to any // reserved for docs add 02060 deny ip from 204.152.64.0/23 to any // Sun cluster interconnect add 02070 deny ip from 224.0.0.0/3 to any // Class D & E multicast add 02200 deny ip from any to 192.168.0.0/16 // RFC 1918 private IP add 02210 deny ip from any to 172.16.0.0/12 // RFC 1918 private IP add 02220 deny ip from any to 10.0.0.0/8 // RFC 1918 private IP add 02230 deny ip from any to 0.0.0.0/8 // loopback add 02240 deny ip from any to 169.254.0.0/16 // DHCP auto-config add 02250 deny ip from any to 192.0.2.0/24 // reserved for docs add 02260 deny ip from any to 204.152.64.0/23 // Sun cluster interconnect add 02270 deny ip from any to 224.0.0.0/3 // Class D & E multicast add 03000 deny icmp from any to me icmptypes 8 in via rl0 // deny pings from outside to bridge add 03010 deny ip from any to me dst-port 22 in via rl0 // deny SSH from outside to bridge add 03020 deny ip from any to me dst-port 113 in via rl0 // deny ident from outside to bridge add 03030 deny ip from any to me dst-port 10000 in via rl0 // deny webmin from outside to bridge add 03200 deny ip from any to any frag in // Deny any late arriving packets add 04000 deny ip from any to any dst-port 67 // Bootstrap Protocol Server (DHCP) add 04010 deny ip from any to any dst-port 68 // Bootstrap Protocol Server (DHCP) add 04020 deny ip from any to any dst-port 42 // Host Name Server (Wins) MS/Windows add 04030 deny ip from any to any dst-port 135 // DCOM Service Control Manager MS/Windows add 04040 deny ip from any to any dst-port 137 // NetBIOS Name Service MS/Windows add 04050 deny ip from any to any dst-port 138 // NetBIOS Datagram Service MS/Windows add 04060 deny ip from any to any dst-port 139 // NETBIOS Session Service MS/Windows add 04070 deny ip from any to any dst-port 445 // Microsoft Directory Services MS/Windows add 04200 deny ip from any to any src-port 67 // Bootstrap Protocol Server (DHCP) add 04210 deny ip from any to any src-port 68 // Bootstrap Protocol Server (DHCP) add 04220 deny ip from any to any src-port 42 // Host Name Server (Wins) MS/Windows add 04230 deny ip from any to any src-port 135 // DCOM Service Control Manager MS/Windows add 04240 deny ip from any to any src-port 137 // NetBIOS Name Service MS/Windows add 04250 deny ip from any to any src-port 138 // NetBIOS Datagram Service MS/Windows add 04260 deny ip from any to any src-port 139 // NETBIOS Session Service MS/Windows add 04270 deny ip from any to any src-port 445 // Microsoft Directory Services MS/Windows # *** Traffic shaping **** add 05100 pass ip from me 22 to any // do not enqueue traffic from bridge s= sh add 05110 pass ip from any to me 22 // do not enqueue traffic to bridge ssh # 64Kbits add queue 03101 ip from 200.43.89.19 to any in via rl1 // Roura add queue 03201 ip from any to 200.43.89.19 in via rl0 add queue 03101 ip from 200.43.89.33 to any in via rl1 // Diblasio add queue 03201 ip from any to 200.43.89.33 in via rl0 # P2P add 10000 queue 02299 tcp from any to any src-port 6881-6999 in via rl0 // P2P BitTorrent add queue 02299 tcp from any to any dst-port 6881-6999 in via rl0 // P2P BitTorrent add queue 01199 tcp from any to any src-port 6881-6999 in via rl1 // P2P BitTorrent add queue 01199 tcp from any to any dst-port 6881-6999 in via rl1 // P2P BitTorrent add queue 02299 ip from any to any src-port 412 in via rl0 // P2P DirectCon= nect add queue 01199 ip from any to any src-port 412 in via rl1 // Hated_P2P DirectConnect add queue 02299 ip from any to any src-port 1044-1045 in via rl0 // P2P DirectFileExpress add queue 01199 ip from any to any src-port 1044-1045 in via rl1 // P2P DirectFileExpress add queue 02299 ip from any to any src-port 1214 in via rl0 // P2P FastTrack (Kazaa) add queue 01199 ip from any to any src-port 1214 in via rl1 // P2P FastTrack (Kazaa) add queue 02299 ip from any to any src-port 2340 in via rl0 // P2P CuteMX add queue 01199 ip from any to any src-port 2340 in via rl1 // P2P CuteMX add queue 02299 ip from any to any src-port 4329 in via rl0 // P2P iMest add queue 01199 ip from any to any src-port 4329 in via rl1 // P2P iMest add queue 02299 ip from any to any src-port 4661-4665 in via rl0 // P2P EDonkey2000 add queue 01199 ip from any to any src-port 4661-4665 in via rl1 // P2P EDonkey2000 add queue 02299 ip from any to any src-port 4672 in via rl0 // P2P Edonkey2000 (get more info on this) add queue 01199 ip from any to any src-port 4672 in via rl1 // P2P Edonkey2000 (get more info on this) add queue 02299 ip from any to any src-port 5190 in via rl0 // P2P SongSpy add queue 01199 ip from any to any src-port 5190 in via rl1 // P2P SongSpy add queue 02299 ip from any to any src-port 5500-5503 in via rl0 // P2P HotlineConnect add queue 01199 ip from any to any src-port 5500-5503 in via rl1 // P2P HotlineConnect add queue 02299 ip from any to any src-port 6346 in via rl0 // P2P Gnutella add queue 01199 ip from any to any src-port 6346 in via rl1 // P2P Gnutella add queue 02299 ip from any 6666-6668 to any in via rl0 // P2P dcc add queue 01199 ip from any 6666-6668 to any in via rl1 // P2P dcc add queue 02299 ip from any to any src-port 6699-6701 in via rl0 // P2P Nap= ster add queue 01199 ip from any to any src-port 6699-6701 in via rl1 // P2P Nap= ster add queue 02299 ip from any to any src-port 7668 in via rl0 // P2P Aimster add queue 01199 ip from any to any src-port 7668 in via rl1 // P2P Aimster add queue 02299 ip from any to any src-port 7788 in via rl0 // P2P BuddySha= re add queue 01199 ip from any to any src-port 7788 in via rl1 // P2P BuddySha= re add queue 02299 ip from any to any src-port 8311 in via rl0 // P2P Scour add queue 01199 ip from any to any src-port 8311 in via rl1 // P2P Scour add queue 02299 ip from any to any src-port 8888-8889 in via rl0 // P2P Ope= nNap add queue 01199 ip from any to any src-port 8888-8889 in via rl1 // P2P Ope= nNap add queue 02299 ip from any to any src-port 28864-28865 in via rl0 // P2P hotComm add queue 01199 ip from any to any src-port 28864-28865 in via rl1 // P2P hotComm # Uploads add 11000 queue 01103 tcp from any to any iplen 0-80 tcpflags ack in via rl1 // ack add queue 01101 ip from any to any iplen 0-100 in via rl1 // small packet add queue 01101 udp from any to any dst-port 53 in via rl1 // DNS query add queue 01101 ah from any to any in via rl1 // ah authentication header add queue 01101 esp from any to any in via rl1 // esp encapsulating security payload add queue 01101 gre from any to any in via rl1 // gre Generic Routing Encapsulation add queue 01101 udp from any to any dst-port 27960 in via rl1 // Enemy Terr= itory add queue 01102 icmp from any to any in via rl1 // icmp internet control message protocol add queue 01104 ip from any to any in via rl1 // Uploads catches rest # Downloads add 12000 queue 02201 icmp from any to any in via rl0 // icmp internet control message protocol add queue 02201 ip from any to any iplen 0-100 in via rl0 // small packet add queue 02201 udp from any to any src-port 53 in via rl0 // DNS query add queue 02201 ah from any to any in via rl0 // ah authentication header add queue 02201 esp from any to any in via rl0 // esp encapsulating security payload add queue 02201 gre from any to any in via rl0 // gre Generic Routing Encapsulation add queue 02201 udp from any to any src-port 27960 in via rl0 // Enemy Terr= itory add queue 02202 tcp from any to any src-port 554 in via rl0 // Real Audio s= tream add queue 02202 tcp from any to any src-port 1755 in via rl0 // Windows Media Audio stream add queue 02203 ip from any to any in via rl0 // Downloads catches rest # eof rc.firewall.rules mkdir /root/kernels cp /usr/src/sys/i386/conf/GENERIC /root/kernels/BRIDGE=20 cd /usr/src/sys/i386/conf ln -s /root/kernels/BRIDGE ee /root/kernels/BRIDGE ident BRIDGE #options INET6 # IPv6 communications protocols #device gif # IPv6 and IPv4 tunneling # wbridge #device faith # IPv6-to-IPv4 relaying (translation) #device plip # TCP/IP over parallel options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD options IPDIVERT options IPSTEALTH options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=3D5 options DUMMYNET options BRIDGE options HZ=3D1000 # Optional options NMBCLUSTERS=3D4096 # Optional options DEVICE_POLLING save file cd /usr/src make buildkernel KERNCONF=3DBRIDGE make installkernel KERNCONF=3DBRIDGE Read Handbook, and all you can find http://www.freebsd.org/cgi/man.cgi?query=3Dbridge&sektion=3D4 http://www.freebsd.org/cgi/man.cgi?query=3Dnetintro&sektion=3D4&apropos=3D0= &manpath=3DFreeBSD+5.3-RELEASE+and+Ports http://www.freebsd.org/cgi/man.cgi?query=3Drc.conf&sektion=3D5&apropos=3D0&= manpath=3DFreeBSD+5.3-RELEASE+and+Ports http://info.iet.unipi.it/~luigi/polling/ http://www.freebsd.org/cgi/man.cgi?query=3Dpolling&sektion=3D4&apropos=3D0&= manpath=3DFreeBSD+5.3-RELEASE+and+Ports http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/artic= le.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-buil= ding.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.= html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html Well, cant do more for you, I knew nothing about FreeBSD before i set up this machine, I learned enough to do this in a week, You can do it too. --=20 Carlos Alloatti calloatti_at_gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1b6c15ea050523151530909e76>