From owner-freebsd-questions Tue Sep 10 11:40:52 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F4EA37B400 for ; Tue, 10 Sep 2002 11:40:39 -0700 (PDT) Received: from ns1.getplex.com (ns1.getplex.com [211.172.232.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83D4043E65 for ; Tue, 10 Sep 2002 11:40:38 -0700 (PDT) (envelope-from maillist@withdoc.net) Received: from [211.55.16.215] (helo=SUPPER) by ns1.getplex.com with asmtp (Exim 3.36 #1) id 17ob2m-000198-00 for freebsd-questions@freebsd.org; Tue, 10 Sep 2002 11:46:24 +0900 Message-ID: <003e01c25873$db27b0d0$0200a8c0@SUPPER> Reply-To: "nuro_pro" From: "nuro_pro" To: Subject: dummynet doesn't works Date: Tue, 10 Sep 2002 11:43:17 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ns1.getplex.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [0 0] X-AntiAbuse: Sender Address Domain - withdoc.net Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I set it up my samba server bw limiting as 80.000 Kbit/s follows. But it still works at 300KB/s above speed. What is wrong? kernel compile options options IPFIREWALL #firewall options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=200 options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options ICMP_BANDLIM options DUMMYNET options IPFIREWALL_FORWARD options IPDIVERT uname -a FreeBSD locahost 4.6-STABLE FreeBSD 4.6-STABLE #9: Tue Sep 10 09:36:48 KST 2002 vinu@localhost:/usr/obj/usr/src/sys/nute i386 my firewall script if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi fwcmd="/sbin/ipfw" outside_network_device="xl0" outside_network="192.168.0.0" outside_network_mask="255.255.255.0" outside_network_ip="192.168.0.4" dns1="168.126.63.1" dns2="168.126.63.2" ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # ${fwcmd} add deny all from ${outside_network}:${outside_network_mask} to any in via ${inside_network_device} ${fwcmd} add deny all from any to 10.0.0.0/8 via ${outside_network_device} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${outside_network_device} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${outside_network_device} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${outside_network_device} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${outside_network_device} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${outside_network_device} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${outside_network_device} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${outside_network_device} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${outside_network_device} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${outside_network_device} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${outside_network_device} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${outside_network_device} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${outside_network_device} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${outside_network_device} # Allow established connections with minimal overhead ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # ssmtp ${fwcmd} add pass tcp from any to any 465 setup # pop ${fwcmd} add pass tcp from any to any 110 setup # imap ${fwcmd} add pass tcp from any to any 143 setup # pop3s ${fwcmd} add pass tcp from any to any 995 setup # imaps ${fwcmd} add pass tcp from any to any 993 setup # FTP - Allow incoming data channel for outgoing connections, # reject & log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add pass tcp from any to any 21 in via ${outside_network_device} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${outside_network_device} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${outside_network_device} setup # Reject&Log all setup of incoming connections from the outside # ${fwcmd} add deny log tcp from any to any in via ${outside_network_device} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any ${fwcmd} add pass tcp from any to ${dns1} 53 ${fwcmd} add pass tcp from any to ${dns2} 53 ${fwcmd} add pass tcp from ${dns1} 53 to any ${fwcmd} add pass tcp from ${dns2} 53 to any ${fwcmd} add pass tcp from any to 192.168.0.4 53 ${fwcmd} add pass tcp from 192.168.0.4 53 to any ${fwcmd} add pass udp from any to 192.168.0.4 53 ${fwcmd} add pass udp from 192.168.0.4 53 to any #${fwcmd} add check-state #${fwcmd} queue 1 config pipe 10 #${fwcmd} pipe 10 config bw 10bit/s #${fwcmd} queue 1 config pipe 1 weight 1 ${fwcmd} pipe 1 config bw 10KByte/s # SMB - Allow local traffic #${fwcmd} add pass log tcp from any to any 137 via ${outside_network_device} keep-state #${fwcmd} add pass log tcp from any to any 138 via ${outside_network_device} keep-state #${fwcmd} add pipe 1 log tcp from any to any 139 via ${outside_network_device} #${fwcmd} add pipe 1 log tcp from any to any 445 via ${outside_network_device} #${fwcmd} add queue 1 log tcp from any to any 139 in recv ${outside_network_device} #${fwcmd} add queue 1 log tcp from any to any 139 out xmit ${outside_network_device} #${fwcmd} add queue 1 log tcp from any to any 445 via ${outside_network_device} #${fwcmd} add pipe 1 tcp from any to any 137,139 in ${outside_network_device} ${fwcmd} add pipe 1 tcp from any to any 137,139 via ${outside_network_device} #${fwcmd} add queue 1 config pipe 1 weight 1 #${fwcmd} pipe 1 tcp from any to any 139 #${fwcmd} pipe 1 tcp from any to any 445 #${fwcmd} add pass log tcp from any 139 to any via ${outside_network_device} #${fwcmd} add pass log tcp from any 445 to any via ${outside_network_device} #${fwcmd} add pass log udp from any to any 137 via ${outside_network_device} #${fwcmd} add pass log udp from any to any 138 via ${outside_network_device} #${fwcmd} add pass log udp from any to any 139 via ${outside_network_device} #${fwcmd} add pass log udp from any to any 445 via ${outside_network_device} # NTP - Allow queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${outside_network_device} # TRACEROUTE - Allow outgoing ${fwcmd} add pass udp from any to any 33434-33523 out via ${outside_network_device} # Allow outgoing pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${outside_network_device} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${outside_network_device} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${outside_network_device} # edonkey ${fwcmd} add pass log tcp from any to any 4662 via ${outside_network_device} keep-state ${fwcmd} add pass log tcp from any to any 4661 via ${outside_network_device} keep-state ${fwcmd} add pass log tcp from any 4661 to any via ${outside_network_device} keep-state ${fwcmd} add pass log tcp from any 4662 to any via ${outside_network_device} keep-state ${fwcmd} add pass log tcp from any to any 4665 via ${outside_network_device} keep-state ${fwcmd} add pass log tcp from any 4665 to any via ${outside_network_device} keep-state ${fwcmd} add pass log udp from any to any 4665 via ${outside_network_device} keep-state ${fwcmd} add pass log udp from any 4665 to any via ${outside_network_device} keep-state # Deny the rest of them #${fwcmd} add deny icmp from any to any # ipfw pipe list00001: 80.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000q00001: weight 1 pipe 1 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 # ipfw queue list00001: 80.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000q00001: weight 1 pipe 1 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from any to 10.0.0.0/8 via xl0 00400 deny ip from any to 172.16.0.0/12 via xl0 00500 deny ip from any to 0.0.0.0/8 via xl0 00600 deny ip from any to 169.254.0.0/16 via xl0 00700 deny ip from any to 192.0.2.0/24 via xl0 00800 deny ip from any to 224.0.0.0/4 via xl0 00900 deny ip from any to 240.0.0.0/4 via xl0 01000 deny ip from 10.0.0.0/8 to any via xl0 01100 deny ip from 172.16.0.0/12 to any via xl0 01200 deny ip from 0.0.0.0/8 to any via xl0 01300 deny ip from 169.254.0.0/16 to any via xl0 01400 deny ip from 192.0.2.0/24 to any via xl0 01500 deny ip from 224.0.0.0/4 to any via xl0 01600 deny ip from 240.0.0.0/4 to any via xl0 01700 allow tcp from any to any established 01800 allow ip from any to any frag 01900 allow tcp from any to any 80 setup 02000 allow tcp from any to any 25 setup 02100 allow tcp from any to any 465 setup 02200 allow tcp from any to any 110 setup 02300 allow tcp from any to any 143 setup 02400 allow tcp from any to any 995 setup 02500 allow tcp from any to any 993 setup 02600 allow tcp from any 20 to any 1024-65535 setup 02700 allow tcp from any to any 21 in recv xl0 setup 02800 allow log logamount 200 tcp from any to any 22 in recv xl0 setup 02900 reset tcp from any to any 113 in recv xl0 setup 03000 allow tcp from any to any setup 03100 allow udp from any to 168.126.63.1 53 03200 allow udp from any to 168.126.63.2 53 03300 allow udp from 168.126.63.1 53 to any 03400 allow udp from 168.126.63.2 53 to any 03500 allow tcp from any to 168.126.63.1 53 03600 allow tcp from any to 168.126.63.2 53 03700 allow tcp from 168.126.63.1 53 to any 03800 allow tcp from 168.126.63.2 53 to any 03900 allow tcp from any to 192.168.0.4 53 04000 allow tcp from 192.168.0.4 53 to any 04100 allow udp from any to 192.168.0.4 53 04200 allow udp from 192.168.0.4 53 to any 04300 pipe 1 tcp from any to any 137,139 via xl0 04400 allow udp from any 123 to any 123 via xl0 04500 allow udp from any to any 33434-33523 out xmit xl0 04600 allow icmp from any to any out xmit xl0 icmptype 8 04700 allow icmp from any to any in recv xl0 icmptype 0 04800 allow icmp from any to any via xl0 icmptype 3,4,11,12 04900 allow log logamount 200 tcp from any to any 4662 keep-state via xl0 05000 allow log logamount 200 tcp from any to any 4661 keep-state via xl0 05100 allow log logamount 200 tcp from any 4661 to any keep-state via xl0 05200 allow log logamount 200 tcp from any 4662 to any keep-state via xl0 05300 allow log logamount 200 tcp from any to any 4665 keep-state via xl0 05400 allow log logamount 200 tcp from any 4665 to any keep-state via xl0 05500 allow log logamount 200 udp from any to any 4665 keep-state via xl0 05600 allow log logamount 200 udp from any 4665 to any keep-state via xl0 65535 deny ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message