Dummynet, ipfw and ADSL bandwidth throttling....

From owner-freebsd-ipfw Mon Mar 4 0:21:49 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 70E8737B402 for ; Mon, 4 Mar 2002 00:21:39 -0800 (PST) Received: by ING-mailhub; id JAA27503; Mon, 4 Mar 2002 09:24:11 +0100 (MET) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C1C354.8D5A3A21" Subject: Dummynet, ipfw and ADSL bandwidth throttling.... Content-Transfer-Encoding: 7bit Date: Mon, 4 Mar 2002 09:14:05 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dummynet, ipfw and ADSL bandwidth throttling.... Thread-Index: AcHDVI0QCvML9xjoSKu8mk43Mir/fA== Importance: normal From: "Carroll, D. (Danny)" To: X-OriginalArrivalTime: 04 Mar 2002 08:14:04.0920 (UTC) FILETIME=[8CC0CF80:01C1C354] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------_=_NextPart_001_01C1C354.8D5A3A21 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have an adsl connection serving my home lan. I've got my freeBSD firewall working for me quite well and my NAT/Firewalling rules work just the way I like them. I do however have one issue with ADSL itself which I hope can be rectified with BSD. The adsl connection I have is 512kb down and 64kb up. The problem starts when I try and upload at the full 64kb. My Downloads crawl to a halt. I am not technical (At least not with ATM etc...) but I have read that the problem lies with the fact that if you are using all the upload bandwidth, then a download cannot send control packets fast enough and hence it slows down as well.... The fix that has been suggested is that you limit your bandwidth with software so that the upload only uses 90% of the link. This solution would work well if you have an FTP server or something you can manually set the upload limit to, but what I'd like to do is use BSD to enforce limits a little smarter. Basically I am wondering if DummyNet has a facility to limit per IP or Protocol. Perhaps someone has seen this problem before and knows of a better way to solve it.? -D -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- ------_=_NextPart_001_01C1C354.8D5A3A21 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dummynet, ipfw and ADSL bandwidth throttling....

I have an adsl connection serving my = home lan.

I've got my freeBSD firewall working = for me quite well and my NAT/Firewalling rules work just the way I like = them.
I do however have one issue with ADSL = itself which I hope can be rectified with BSD.

The adsl connection I have is 512kb = down and 64kb up. The problem starts when I try and upload at the = full 64kb.
My Downloads crawl to a halt.

I am not technical (At least not with = ATM etc...) but I have read that the problem lies with the fact that if = you are using all the upload bandwidth, then a download cannot send = control packets fast enough and hence it slows down as = well....

The fix that has been suggested is that = you limit your bandwidth with software so that the upload only uses 90% = of the link.

This solution would work well if you = have an FTP server or something you can manually set the upload limit = to, but what I'd like to do is use BSD to enforce limits a little = smarter.

Basically I am wondering if DummyNet = has a facility to limit per IP or Protocol. Perhaps someone has = seen this problem before and knows of a better way to solve = it.?

-D

-----------------------------------------------------------------
ATTE= NTION:
The information in this electronic mail message is private = and
confidential, and only intended for the addressee. Should = you
receive this message by mistake, you are hereby notified = that
any disclosure, reproduction, distribution or use of = this
message is strictly prohibited. Please inform the sender = by
reply transmission and delete the message without copying = or
opening it.

Messages and attachments are scanned for all = viruses known.
If this message contains password-protected = attachments, the
files have NOT been scanned for viruses by the ING = mail domain.
Always scan attachments before opening = them.
----------------------------------------------------------------= - ------_=_NextPart_001_01C1C354.8D5A3A21-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 7:37:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id CA98737B405 for ; Mon, 4 Mar 2002 07:37:25 -0800 (PST) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g24FbIQ64864; Mon, 4 Mar 2002 07:37:18 -0800 (PST) (envelope-from rizzo) Date: Mon, 4 Mar 2002 07:37:18 -0800 From: Luigi Rizzo To: "Carroll, D. (Danny)" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Dummynet, ipfw and ADSL bandwidth throttling.... Message-ID: <20020304073718.D64560@iguana.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 04, 2002 at 09:14:05AM +0100, Carroll, D. (Danny) wrote: ... > The adsl connection I have is 512kb down and 64kb up. The problem > starts when I try and upload at the full 64kb. > My Downloads crawl to a halt. > > I am not technical (At least not with ATM etc...) but I have read that > the problem lies with the fact that if you are using all the upload > bandwidth, then a download cannot send control packets fast enough and > hence it slows down as well.... does not sound very good as an explaination... > Basically I am wondering if DummyNet has a facility to limit per IP or > Protocol. Perhaps someone has seen this problem before and knows of a any granularity you like, depending how you specify the ipfw rule that sends packets to the dummynet pipe. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 13:13:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.86]) by hub.freebsd.org (Postfix) with ESMTP id BD94537B416 for ; Mon, 4 Mar 2002 13:13:24 -0800 (PST) Received: from smtp-relay01.mac.com (server-source-si02 [10.13.10.6]) by smtpout.mac.com (8.12.1/8.10.2/1.0) with ESMTP id g24LDOJZ007552 for ; Mon, 4 Mar 2002 13:13:24 -0800 (PST) Received: from asmtp02.mac.com ([10.13.10.66]) by smtp-relay01.mac.com (Netscape Messaging Server 4.15 relay01 Jun 21 2001 23:53:48) with ESMTP id GSGWAB00.SE6 for ; Mon, 4 Mar 2002 13:13:23 -0800 Received: from osx.jdk ([24.83.206.181]) by asmtp02.mac.com (Netscape Messaging Server 4.15 asmtp02 Jun 21 2001 23:53:48) with ESMTP id GSGWAB00.N9W for ; Mon, 4 Mar 2002 13:13:23 -0800 Date: Mon, 4 Mar 2002 13:13:22 -0800 Subject: Transparent proxy for connections originating on localhost Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v481) From: Jeff Koftinoff To: freebsd-ipfw@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <44895D20-2F88-11D6-BBFC-003065709198@jdkoftinoff.com> Message-Id: X-Mailer: Apple Mail (2.481) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm sorry if this is a dumb question (or a duplicate msg), but I am having a weird problem with ipfw. I am using mac-osx, but I know that all the cool ipfw gurus are probably here on freebsd-ipfw. I am able to get a transparent proxy working for other computers on my lan with the line: My computer's ip is 192.168.147.12 I am running apache on 192.168.147.12:80 and another server on 127.0.0.1:9999 /sbin/ipfw add 1010 fwd 127.0.0.1,9999 tcp from 192.168.147.0/24 to any 80 When 192.168.147.2 tries to connect to 192.168.147.12:80, the connection properly gets redirected to 127.0.0.1:9999. Works fine. But when 192.168.147.12 tries to connect to 192.168.147.12:80, the connection hangs and does not get redirected to 127.0.0.1:9999 - the server at 127.0.0.1:9999 does not even see the incoming connection. However the packets must be matching the fw rule because with this fw rule in place 192.168.147.12 is unable to get to the apache server on port 80. Is there some trick to this or am I doing something stupid? All I want is for all web accesses done by programs on the local machine to be redirected to the transparent proxy on the local machine. Only one machine would be involved. Or should I be looking into 'divert' sockets? Where would I learn more about those? Thanks in advance Jeff Koftinoff jeffkoftinoff@mac.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 18:11: 4 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from dsee.fee.unicamp.br (dsee.fee.unicamp.br [143.106.11.14]) by hub.freebsd.org (Postfix) with ESMTP id E32FC37B400; Mon, 4 Mar 2002 18:10:57 -0800 (PST) Received: from morte.dsee.fee.unicamp.br (dsee.fee.unicamp.br [143.106.11.14]) by dsee.fee.unicamp.br (8.10.1/8.10.1) with ESMTP id g252BjN20466; Mon, 4 Mar 2002 23:11:45 -0300 (EST) Message-Id: <5.1.0.14.0.20020304230504.00bbffc0@127.0.0.1> X-Sender: morte@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 04 Mar 2002 23:09:40 -0300 To: "Crist J. Clark" From: Luiz Morte da Costa Jr Subject: Re: ipfw problem Cc: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <20020302110637.F66092@blossom.cjclark.org> References: <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br> <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Crist, IT'S WORK :)))))))) My mistake was just what you said, about 3 and 4 rules. Thank you very much for your attention. Luiz Morte. At 11:06 2/3/2002 -0800, Crist J. Clark wrote: >On Fri, Mar 01, 2002 at 12:19:11PM -0300, Luiz Morte da Costa Jr wrote: > > > > Hi all, > > > > I don=B4t know if this is possible, but ... : > >Anything is possible. > > > I=B4ve instaled a FreeBSD 4.4 in a hardware with 3 nic. I=B4ve= configured: > > > > nic fxp0: a.b.c.d -> Internet link, with a valid IP > > nic fxp1: e.f.g.h -> Internet link, with a valid IP > > nic fxp2: 10.10.10.1 -> Internal link, with a NO valid IP > > > > My default router is a.b.c.29 (the same fxp0 IP Class) > > > > I=B4m using ipfx+nat and the ideia is: > > http protocol: out/in via fxp1 > > others protocols: out/in via fxp0 > >OK. Whatever you want. > > > - I starting nat, like this: > > natd (8668) in a fxp0 nic and > > natd2 (8669) in a fxp1 nic > >These are just run like 'natd -n fxp[01]' with no additional options? > > > - I=B4ve used the rules bellow: > > add 001 divert 8669 tcp from any to any 80 > > add 002 divert 8669 tcp from any 80 to any > > add 003 fwd e.f.g.h tcp from any to any 80 via fxp1 (fxp1 IP Class) > > add 004 fwd e.f.g.h tcp from any 80 to any via fxp1 (fxp1 IP Class) > > add 005 skipto 020 tcp from any to any 80 > > add 006 skipto 020 tcp from any 80 to any > > add 010 divert 8668 all from any to any > > add 020 allow log all from any to any > > > > > > - logs: > > Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept 10.10.10.130:1133 > > 209.73.180.8:80 in via fxp2 > > (fazendo acesso ao altavista de uma maquina da rede interna:= 10.10.10.130) > > > > Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept e.f.g.h:1133= 209.73.180.8:80 > > out via fxp0 > > > > > > > > I think the NAT is working fine (logs), but all the internet traffic is > > passing through fxp0. I have a routing problem and I don=B4t if I can= fix > > it. In another words, only the http protocol pass through fxp1 and= others > > protocols pass through fxp0. > >Your 3 and 4 rules do not mean what you seem to think they mean. Rule >3 is saying, forward to e.f.g.h any packet that is crossing interface >fxp1 destined to port 80. That is, the 'via fxp1' means the packet >must be already crossing that interface to match the rule. Plus, you >really don't want to be 'fwd'ing the packets to the local >machine. That means the local machine processes them as if they were >destined for itself. > >What you want to do is, > > add 003 fwd e.f.g.i tcp from e.f.g.h to any 80 out > >Where e.f.g.i is the gateway off of e.f.g.h. At least, if that whole >mess works at all, this rule will kick those packets out of the other >link. >-- >Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu >http://people.freebsd.org/~cjc/ | cjc@freebsd.org > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 21:37:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 6E51737B400 for ; Mon, 4 Mar 2002 21:37:15 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020305053714.ICNF1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Tue, 5 Mar 2002 05:37:14 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g255bDm89444; Mon, 4 Mar 2002 21:37:13 -0800 (PST) (envelope-from cjc) Date: Mon, 4 Mar 2002 21:37:13 -0800 From: "Crist J. Clark" To: Jeff Koftinoff Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Transparent proxy for connections originating on localhost Message-ID: <20020304213713.N87533@blossom.cjclark.org> References: <44895D20-2F88-11D6-BBFC-003065709198@jdkoftinoff.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jeffkoftinoff@mac.com on Mon, Mar 04, 2002 at 01:13:22PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 04, 2002 at 01:13:22PM -0800, Jeff Koftinoff wrote: > > I'm sorry if this is a dumb question (or a duplicate msg), but I am > having a weird problem with ipfw. I am using mac-osx, but I know that > all the cool ipfw gurus are probably here on freebsd-ipfw. > > I am able to get a transparent proxy working for other computers on my > lan with the line: > > My computer's ip is 192.168.147.12 > I am running apache on 192.168.147.12:80 and another server on > 127.0.0.1:9999 > > /sbin/ipfw add 1010 fwd 127.0.0.1,9999 tcp from 192.168.147.0/24 to any > 80 > > When 192.168.147.2 tries to connect to 192.168.147.12:80, the connection > properly gets redirected to 127.0.0.1:9999. Works fine. > > But when 192.168.147.12 tries to connect to 192.168.147.12:80, the > connection hangs and does not get redirected to 127.0.0.1:9999 - the > server at 127.0.0.1:9999 does not even see the incoming connection. > However the packets must be matching the fw rule because with this fw > rule in place 192.168.147.12 is unable to get to the apache server on > port 80. > > Is there some trick to this or am I doing something stupid? I have no idea what version of ipfw(8) is running on OS X. Up until _very_ recently (way too recently to be in OS X), 'fwd' rules only applied to outgoing packets (this is documented in ipfw(8)). When the local machine is communicating with itself, packets are never outgoing. They would never get 'fwd'ed. > All I want > is for all web accesses done by programs on the local machine to be > redirected to the transparent proxy on the local machine. Only one > machine would be involved. Or should I be looking into 'divert' > sockets? Where would I learn more about those? Nope. 'fwd' is the right way to go for transparent proxying. But a webserver running on the same machine with the proxy won't work. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 22:12: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 729CC37B400 for ; Mon, 4 Mar 2002 22:12:05 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020305061204.IWVF1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Tue, 5 Mar 2002 06:12:04 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g256C3U89641; Mon, 4 Mar 2002 22:12:03 -0800 (PST) (envelope-from cjc) Date: Mon, 4 Mar 2002 22:12:03 -0800 From: "Crist J. Clark" To: Jeff Koftinoff Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Transparent proxy for connections originating on localhost Message-ID: <20020304221203.Q87533@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020304213713.N87533@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jeffkoftinoff@mac.com on Mon, Mar 04, 2002 at 09:50:37PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 04, 2002 at 09:50:37PM -0800, Jeff Koftinoff wrote: > > On Monday, March 4, 2002, at 09:37 PM, Crist J. Clark wrote: > > > On Mon, Mar 04, 2002 at 01:13:22PM -0800, Jeff Koftinoff wrote: > >> All I want > >> is for all web accesses done by programs on the local machine to be > >> redirected to the transparent proxy on the local machine. Only one > >> machine would be involved. Or should I be looking into 'divert' > >> sockets? Where would I learn more about those? > > > > Nope. 'fwd' is the right way to go for transparent proxying. But a > > webserver running on the same machine with the proxy won't work. > > > > Thank you very much for your reply. So is 'fwd'' the right way to go > for transparent proxying with the web browser and the proxy on the same > machine? I'm not sure why one would want to proxy connections to a webserver on the same machine. > With the same rule that I previously specified, when I try to > access a remote web site, the 'fwd' rule blocks my connection and does > not forward to 127.0.0.1:9999. The browser (links) just hangs on 'Making > connection'. and 'ipfw show' shows the counter increase. Hmmm... I thought you said it was working. I'm not clear on what is and is not working. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 22:13:27 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.88]) by hub.freebsd.org (Postfix) with ESMTP id 0A2B437B405 for ; Mon, 4 Mar 2002 22:13:21 -0800 (PST) Received: from smtp-relay02.mac.com (server-source-si02 [10.13.10.6]) by smtpout.mac.com (8.12.1/8.10.2/1.0) with ESMTP id g256DGrC020480 for ; Mon, 4 Mar 2002 22:13:17 -0800 (PST) Received: from asmtp01.mac.com ([10.13.10.65]) by smtp-relay02.mac.com (Netscape Messaging Server 4.15 relay02 Jun 21 2001 23:53:48) with ESMTP id GSHLA400.II3 for ; Mon, 4 Mar 2002 22:13:16 -0800 Received: from grinch ([12.234.224.67]) by asmtp01.mac.com (Netscape Messaging Server 4.15 asmtp01 Jun 21 2001 23:53:48) with ESMTP id GSHLA300.K66 for ; Mon, 4 Mar 2002 22:13:15 -0800 Date: Mon, 4 Mar 2002 22:13:15 -0800 Subject: Re: Transparent proxy for connections originating on localhost Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v475) From: "Justin C. Walker" To: freebsd-ipfw@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <20020304213713.N87533@blossom.cjclark.org> Message-Id: <142957AC-3000-11D6-A30A-00306544D642@mac.com> X-Mailer: Apple Mail (2.475) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Monday, March 4, 2002, at 09:37 PM, Crist J. Clark wrote: > On Mon, Mar 04, 2002 at 01:13:22PM -0800, Jeff Koftinoff wrote: >> >> I'm sorry if this is a dumb question (or a duplicate msg), but I am >> having a weird problem with ipfw. I am using mac-osx, but I know that >> all the cool ipfw gurus are probably here on freebsd-ipfw. [snip] > I have no idea what version of ipfw(8) is running on OS X. Up until > _very_ recently (way too recently to be in OS X), 'fwd' rules only > applied to outgoing packets (this is documented in ipfw(8)). When the > local machine is communicating with itself, packets are never > outgoing. They would never get 'fwd'ed. The networking code in Darwin/Mac OS X is FreeBSD 3.[2,3] based. I think there may have been updates to later 'ipfw' code, but I can't tell from the CVS logs. regards, Justin -- Justin C. Walker, Curmudgeon-At-Large * Institute for General Semantics | It's not whether you win or lose... | It's whether *I* win or lose. *--------------------------------------*-------------------------------* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 22:18:24 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.85]) by hub.freebsd.org (Postfix) with ESMTP id 9FE1037B400 for ; Mon, 4 Mar 2002 22:18:20 -0800 (PST) Received: from smtp-relay02.mac.com (server-source-si02 [10.13.10.6]) by smtpout.mac.com (8.12.1/8.10.2/1.0) with ESMTP id g256IKFD013882 for ; Mon, 4 Mar 2002 22:18:20 -0800 (PST) Received: from asmtp02.mac.com ([10.13.10.66]) by smtp-relay02.mac.com (Netscape Messaging Server 4.15 relay02 Jun 21 2001 23:53:48) with ESMTP id GSHLIK00.IIB for ; Mon, 4 Mar 2002 22:18:20 -0800 Received: from osx.jdk ([24.83.206.181]) by asmtp02.mac.com (Netscape Messaging Server 4.15 asmtp02 Jun 21 2001 23:53:48) with ESMTP id GSHLIJ00.E4O; Mon, 4 Mar 2002 22:18:19 -0800 Date: Mon, 4 Mar 2002 22:18:18 -0800 Subject: Re: Transparent proxy for connections originating on localhost Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v481) Cc: freebsd-ipfw@FreeBSD.ORG To: cjclark@alum.mit.edu From: Jeff Koftinoff In-Reply-To: <20020304221203.Q87533@blossom.cjclark.org> Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.481) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Monday, March 4, 2002, at 10:12 PM, Crist J. Clark wrote: > On Mon, Mar 04, 2002 at 09:50:37PM -0800, Jeff Koftinoff wrote: >> >> >> Thank you very much for your reply. So is 'fwd'' the right way to go >> for transparent proxying with the web browser and the proxy on the same >> machine? > > I'm not sure why one would want to proxy connections to a webserver on > the same machine. > Content filtering for all http connections regardless of which browser is installed. >> With the same rule that I previously specified, when I try to >> access a remote web site, the 'fwd' rule blocks my connection and does >> not forward to 127.0.0.1:9999. The browser (links) just hangs on >> 'Making >> connection'. and 'ipfw show' shows the counter increase. > > Hmmm... I thought you said it was working. I'm not clear on what is > and is not working. When I originate the connection on an external computer, the fwd works. When I originate the connection on the same computer that has the fwd rule, the fwd rule causes the connect to hang. Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 22:33: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hqvsbh2.ms.com (hqvsbh2.ms.com [205.228.12.104]) by hub.freebsd.org (Postfix) with ESMTP id 2486337B402 for ; Mon, 4 Mar 2002 22:32:58 -0800 (PST) Received: from hqvsbh2-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh2.ms.com (Postfix) with SMTP id 81C33AC0C for ; Tue, 5 Mar 2002 01:32:57 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by hqvsbh2-idmz.ms.com (Postfix) with ESMTP id 52D89ABDA for ; Tue, 5 Mar 2002 01:32:56 -0500 (EST) Message-ID: <3C846696.A5ECF8F9@morganstanley.com> Date: Tue, 05 Mar 2002 14:32:54 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: ipfw@freebsd.org Subject: bandwidth limit using ipfw Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG how do i configure ipfw so that packets destined for my http (80) port or whatever ports that i like will be limited only to say 2kbps...? any inputs will be greatly appreciated. jett tayer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 23:12:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id C925337B41A for ; Mon, 4 Mar 2002 23:11:58 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020305071158.NKVY1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Tue, 5 Mar 2002 07:11:58 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g257BvM89948; Mon, 4 Mar 2002 23:11:57 -0800 (PST) (envelope-from cjc) Date: Mon, 4 Mar 2002 23:11:57 -0800 From: "Crist J. Clark" To: Jeff Koftinoff Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Transparent proxy for connections originating on localhost Message-ID: <20020304231157.T87533@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020304221203.Q87533@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jeffkoftinoff@mac.com on Mon, Mar 04, 2002 at 10:18:18PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 04, 2002 at 10:18:18PM -0800, Jeff Koftinoff wrote: > > On Monday, March 4, 2002, at 10:12 PM, Crist J. Clark wrote: > > > On Mon, Mar 04, 2002 at 09:50:37PM -0800, Jeff Koftinoff wrote: > >> > >> > >> Thank you very much for your reply. So is 'fwd'' the right way to go > >> for transparent proxying with the web browser and the proxy on the same > >> machine? > > > > I'm not sure why one would want to proxy connections to a webserver on > > the same machine. > > > > Content filtering for all http connections regardless of which browser > is installed. > > >> With the same rule that I previously specified, when I try to > >> access a remote web site, the 'fwd' rule blocks my connection and does > >> not forward to 127.0.0.1:9999. The browser (links) just hangs on > >> 'Making > >> connection'. and 'ipfw show' shows the counter increase. > > > > Hmmm... I thought you said it was working. I'm not clear on what is > > and is not working. > > When I originate the connection on an external computer, the fwd works. > When I originate the connection on the same computer that has the fwd > rule, the fwd rule causes the connect to hang. Hmmm... Wouldn't happen to have a, pass ip from any to any via lo0 At the top of your rules? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 23:33:53 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.85]) by hub.freebsd.org (Postfix) with ESMTP id 47E5B37B400 for ; Mon, 4 Mar 2002 23:33:51 -0800 (PST) Received: from smtp-relay02.mac.com (server-source-si02 [10.13.10.6]) by smtpout.mac.com (8.12.1/8.10.2/1.0) with ESMTP id g257XoFD026355 for ; Mon, 4 Mar 2002 23:33:50 -0800 (PST) Received: from asmtp01.mac.com ([10.13.10.65]) by smtp-relay02.mac.com (Netscape Messaging Server 4.15 relay02 Jun 21 2001 23:53:48) with ESMTP id GSHP0E00.SJW for ; Mon, 4 Mar 2002 23:33:50 -0800 Received: from osx.jdk ([24.83.206.181]) by asmtp01.mac.com (Netscape Messaging Server 4.15 asmtp01 Jun 21 2001 23:53:48) with ESMTP id GSHP0D00.E0K; Mon, 4 Mar 2002 23:33:49 -0800 Date: Mon, 4 Mar 2002 23:33:48 -0800 Subject: Re: Transparent proxy for connections originating on localhost Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v481) Cc: freebsd-ipfw@FreeBSD.ORG To: cjclark@alum.mit.edu From: Jeff Koftinoff In-Reply-To: <20020304231157.T87533@blossom.cjclark.org> Message-Id: <556A6480-300B-11D6-A2D9-003065709198@mac.com> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.481) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Monday, March 4, 2002, at 11:11 PM, Crist J. Clark wrote: >> >> When I originate the connection on an external computer, the fwd works. >> When I originate the connection on the same computer that has the fwd >> rule, the fwd rule causes the connect to hang. > > Hmmm... Wouldn't happen to have a, > > pass ip from any to any via lo0 > > At the top of your rules? > The only other rule I have is the default allow at the end. sudo /sbin/ipfw show 65535 23381230 14310099719 allow ip from any to any Do I have to make my fwd rule operate in reverse or something? Or should I explicitely specify the network interfaces? Or could it be that the following is happening: 1) OS-X has the older ipfw code which requires the packets to be headed to an external interface 2) My initial request comes from an internal process and is going to an external IP 3) ipfw fwd redirects the first outgoing packet to 127.0.0.1:9999 4) the response packet is heading back to the internal address 5) because the response packet is internal, it is not properly munged by the ipfw fwd code. Does that sound feasable? So betcha what I am trying to do would work fine on a new FreeBSD system, right? Jeff Koftinoff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 4 23:58:49 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mumba.junik.lv (mail.junik.lv [195.216.160.134]) by hub.freebsd.org (Postfix) with ESMTP id DFC1037B400 for ; Mon, 4 Mar 2002 23:58:42 -0800 (PST) Received: (from root@localhost) by mumba.junik.lv (8.8.8/8.8.8) id JAA09397 for ipfw@freebsd.org; Tue, 5 Mar 2002 09:58:36 +0200 Received: from Adam ([213.182.205.3]) by mumba.junik.lv (8.8.8/8.8.8) with SMTP id JAA09214 for ; Tue, 5 Mar 2002 09:58:28 +0200 Message-ID: <002401c1c41b$eca6ccc0$03cdb6d5@junik.lv> From: "Adam@junik.lv" To: References: <3C846696.A5ECF8F9@morganstanley.com> Subject: Re: bandwidth limit using ipfw Date: Tue, 5 Mar 2002 10:01:14 +0200 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Victor Tayer" To: Sent: Tuesday, March 05, 2002 8:32 AM Subject: bandwidth limit using ipfw > how do i configure ipfw so that packets destined for my http (80) port > or whatever ports that i like will be limited only to say 2kbps...? At your kernel: options DUMMYNET At /etc/rc.firewall: fwcmd="/sbin/ipfw" ${fwcmd} add pipe 1 tcp from any to any 80 in ${fwcmd} pipe 1 config bw 2Kbytes/s > > any inputs will be greatly appreciated. > > jett tayer > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > ______________________________________ Scanned and protected by Inflex http://pldaniels.com/inflex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 5 0: 1:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 383D037B400 for ; Tue, 5 Mar 2002 00:01:17 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020305080116.KKRB1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Tue, 5 Mar 2002 08:01:16 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2581Eb90045; Tue, 5 Mar 2002 00:01:14 -0800 (PST) (envelope-from cjc) Date: Tue, 5 Mar 2002 00:01:14 -0800 From: "Crist J. Clark" To: Jeff Koftinoff Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Transparent proxy for connections originating on localhost Message-ID: <20020305000114.U87533@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020304231157.T87533@blossom.cjclark.org> <556A6480-300B-11D6-A2D9-003065709198@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <556A6480-300B-11D6-A2D9-003065709198@mac.com>; from jeffkoftinoff@mac.com on Mon, Mar 04, 2002 at 11:33:48PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 04, 2002 at 11:33:48PM -0800, Jeff Koftinoff wrote: > > On Monday, March 4, 2002, at 11:11 PM, Crist J. Clark wrote: > > >> > >> When I originate the connection on an external computer, the fwd works. > >> When I originate the connection on the same computer that has the fwd > >> rule, the fwd rule causes the connect to hang. > > > > Hmmm... Wouldn't happen to have a, > > > > pass ip from any to any via lo0 > > > > At the top of your rules? > > > > The only other rule I have is the default allow at the end. > sudo /sbin/ipfw show > 65535 23381230 14310099719 allow ip from any to any > > Do I have to make my fwd rule operate in reverse or something? Or should > I explicitely specify the network interfaces? Or could it be that the > following is happening: > 1) OS-X has the older ipfw code which requires the packets to > be headed to an external interface The packet just has to be leaving. > 2) My initial request comes from an internal process and is > going to an external IP > 3) ipfw fwd redirects the first outgoing packet to 127.0.0.1:9999 > 4) the response packet is heading back to the internal address > 5) because the response packet is internal, it is not properly > munged by the ipfw fwd code. > > Does that sound feasable? So betcha what I am trying to do would work > fine on a new FreeBSD system, right? Accessing external webservers from the machine running the proxy should work. Any time the packets are leaving the system, it should work. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 5 7:41:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.itos.dn.ua (pC33AE23B.dip.skif.net [195.58.226.59]) by hub.freebsd.org (Postfix) with SMTP id DEE9137B405 for ; Tue, 5 Mar 2002 07:41:24 -0800 (PST) Received: (qmail 5944 invoked from network); 5 Mar 2002 15:41:32 -0000 Received: from pc33ae23a.dip.skif.net (HELO anchor) (195.58.226.58) by pc33ae23b.dip.skif.net with SMTP; 5 Mar 2002 15:41:32 -0000 Message-ID: <006001c1c45c$33020410$3201a8c0@anchor> From: "Igor Falyush" To: Subject: Date: Tue, 5 Mar 2002 17:41:21 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG unsubscribe freebsd-ipfw ---------------------------------------- �� http://www.itos.dn.ua To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message