From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 24 01:02:40 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id BFD4616A41F
for <freebsd-ipfw@freebsd.org>; Sun, 24 Jul 2005 01:02:40 +0000 (GMT)
(envelope-from lists@jnielsen.net)
Received: from ns1.jnielsen.net (ns1.jnielsen.net [69.55.238.237])
by mx1.FreeBSD.org (Postfix) with ESMTP id 7E36343D46
for <freebsd-ipfw@freebsd.org>; Sun, 24 Jul 2005 01:02:38 +0000 (GMT)
(envelope-from lists@jnielsen.net)
Received: from stealth.local (pcp09741457pcs.goosck01.sc.comcast.net
[69.241.83.8]) (authenticated bits=0)
by ns1.jnielsen.net (8.12.9p2/8.12.9) with ESMTP id j6O12bMP004045;
Sat, 23 Jul 2005 18:02:37 -0700 (PDT)
(envelope-from lists@jnielsen.net)
From: John Nielsen <lists@jnielsen.net>
To: freebsd-ipfw@freebsd.org, vladone <vladone@spaingsm.com>
Date: Sat, 23 Jul 2005 21:02:16 -0400
User-Agent: KMail/1.8.1
References: <1287099147.20050723221715@spaingsm.com>
<BF081248.EE9C%m@telerama.com>
<177514506.20050724002537@spaingsm.com>
In-Reply-To: <177514506.20050724002537@spaingsm.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200507232102.16907.lists@jnielsen.net>
X-Virus-Scanned: ClamAV 0.85.1/989/Fri Jul 22 14:27:30 2005 on ns1.jnielsen.net
X-Virus-Status: Clean
Cc:
Subject: Re: Re[2]: divert to multiple public's IP
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jul 2005 01:02:40 -0000
On Saturday 23 July 2005 05:25 pm, vladone wrote:
> If i understand corectly with redirect_address i can forward an given
> public ip (commonly an alias on pubic interface) to an internal ip
> (private). I dont know if this is good for what i want.
> More exactly description for what i want:
> My private network is: 192.168.0.0/24
> I have (example) public ip: 1.1.1.1, 1.1.1.6 and 1.1.1.9
> I want:
> ip's: 192.168.0.1-20 out(tranlated) with 1.1.1.1
> ip's: 192.168.0.21-30 out with 1.1.1.6
> and so.
If you wanted a one-to-one mapping between public and private IP's, then you
could use redirect_address. For what you describe above, though, the best
approach may be to run multiple instances of natd and split up the traffic
with ipfw.
Sample setup--
In /etc/services:
natd 8668
natd2 8669
natd3 8670
In a natd script (I don't think the rc scripts support multiple instances of
natd):
natd -a 1.1.1.1 -p natd
natd -a 1.1.1.6 -p natd2
natd -a 1.1.1.9 -p natd3
And in an ipfw script:
add divert natd3 all from 192.168.0.31,192.168.0.32,192.168.0.33 to any \
via ${external_interface}
add skipto 10000 all from 192.168.0.31,192.168.0.32,192.168.0.33 to any \
add divert natd2 all from 192.168.0.21,192.168.0.22,192.168.0.23 to any \
via ${external_interface}
add skipto 10000 all from 192.168.0.21,192.168.0.22,192.168.0.23 to any \
via ${external_interface}
add divert natd all from any to any via ${external_interface}
add 10000 allow all from any to any via lo0
...
So you'd give a name to each divert port you want to use in /etc/services
(8668 is already there), run an instance of natd for each external alias,
and use comma-separated lists of IP addresses and skipto's in ipfw to
direct the traffic appropriately. Notice that I made the last one a
default rather than specifying its addresses explicitly. Depending on your
needs you may want to do something similar.
JN
From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 24 17:33:52 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id A2CA316A41F
for <freebsd-ipfw@freebsd.org>; Sun, 24 Jul 2005 17:33:52 +0000 (GMT)
(envelope-from lists@jnielsen.net)
Received: from ns1.jnielsen.net (ns1.jnielsen.net [69.55.238.237])
by mx1.FreeBSD.org (Postfix) with ESMTP id 5E8E343D45
for <freebsd-ipfw@freebsd.org>; Sun, 24 Jul 2005 17:33:50 +0000 (GMT)
(envelope-from lists@jnielsen.net)
Received: from stealth.local (pcp09741457pcs.goosck01.sc.comcast.net
[69.241.83.8]) (authenticated bits=0)
by ns1.jnielsen.net (8.12.9p2/8.12.9) with ESMTP id j6OHXmMP090360;
Sun, 24 Jul 2005 10:33:49 -0700 (PDT)
(envelope-from lists@jnielsen.net)
From: John Nielsen <lists@jnielsen.net>
To: freebsd-ipfw@freebsd.org
Date: Sun, 24 Jul 2005 13:33:25 -0400
User-Agent: KMail/1.8.1
References: <1287099147.20050723221715@spaingsm.com>
<177514506.20050724002537@spaingsm.com>
<200507232102.16907.lists@jnielsen.net>
In-Reply-To: <200507232102.16907.lists@jnielsen.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200507241333.25647.lists@jnielsen.net>
X-Virus-Scanned: ClamAV 0.85.1/989/Fri Jul 22 14:27:30 2005 on ns1.jnielsen.net
X-Virus-Status: Clean
Cc: vladone <vladone@spaingsm.com>
Subject: Re: Re[2]: divert to multiple public's IP
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jul 2005 17:33:52 -0000
On Saturday 23 July 2005 09:02 pm, John Nielsen wrote:
> On Saturday 23 July 2005 05:25 pm, vladone wrote:
> > If i understand corectly with redirect_address i can forward an given
> > public ip (commonly an alias on pubic interface) to an internal ip
> > (private). I dont know if this is good for what i want.
> > More exactly description for what i want:
> > My private network is: 192.168.0.0/24
> > I have (example) public ip: 1.1.1.1, 1.1.1.6 and 1.1.1.9
> > I want:
> > ip's: 192.168.0.1-20 out(tranlated) with 1.1.1.1
> > ip's: 192.168.0.21-30 out with 1.1.1.6
> > and so.
>
> If you wanted a one-to-one mapping between public and private IP's, then
> you could use redirect_address. For what you describe above, though, the
> best approach may be to run multiple instances of natd and split up the
> traffic with ipfw.
>
> Sample setup--
>
> In /etc/services:
> natd 8668
> natd2 8669
> natd3 8670
>
> In a natd script (I don't think the rc scripts support multiple instances
> of natd):
> natd -a 1.1.1.1 -p natd
> natd -a 1.1.1.6 -p natd2
> natd -a 1.1.1.9 -p natd3
>
> And in an ipfw script:
> add divert natd3 all from 192.168.0.31,192.168.0.32,192.168.0.33 to any \
> via ${external_interface}
> add skipto 10000 all from 192.168.0.31,192.168.0.32,192.168.0.33 to any \
> add divert natd2 all from 192.168.0.21,192.168.0.22,192.168.0.23 to any \
> via ${external_interface}
> add skipto 10000 all from 192.168.0.21,192.168.0.22,192.168.0.23 to any \
> via ${external_interface}
> add divert natd all from any to any via ${external_interface}
> add 10000 allow all from any to any via lo0
> ...
>
> So you'd give a name to each divert port you want to use in /etc/services
> (8668 is already there), run an instance of natd for each external alias,
> and use comma-separated lists of IP addresses and skipto's in ipfw to
> direct the traffic appropriately. Notice that I made the last one a
> default rather than specifying its addresses explicitly. Depending on
> your needs you may want to do something similar.
On Sunday 24 July 2005 02:11 am, vladone wrote:
> Thanks John. This is what i want, and work :)
> Thanks again!!!
It occured to me you may also need rules for the other direction, a la:
add divert natd3 all from any to 1.1.1.9 via ${extarnal_interface}
Can someone correct me if I'm wrong?
JN
From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 25 11:02:12 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 90F6616A421
for <freebsd-ipfw@freebsd.org>; Mon, 25 Jul 2005 11:02:12 +0000 (GMT)
(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id 616E243D49
for <freebsd-ipfw@freebsd.org>; Mon, 25 Jul 2005 11:02:12 +0000 (GMT)
(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (peter@localhost [127.0.0.1])
by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6PB2CkL018402
for <freebsd-ipfw@freebsd.org>; Mon, 25 Jul 2005 11:02:12 GMT
(envelope-from owner-bugmaster@freebsd.org)
Received: (from peter@localhost)
by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6PB2BJk018396
for freebsd-ipfw@freebsd.org; Mon, 25 Jul 2005 11:02:11 GMT
(envelope-from owner-bugmaster@freebsd.org)
Date: Mon, 25 Jul 2005 11:02:11 GMT
Message-Id: <200507251102.j6PB2BJk018396@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: peter set sender to
owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: freebsd-ipfw@FreeBSD.org
Cc:
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2005 11:02:12 -0000
Current FreeBSD problem reports
Critical problems
Serious problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar
1 problem total.
Non-critical problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error)
o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca
o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO
o [2005/06/28] kern/82724 ipfw [patch] Add setnexthop and defaultroute f
4 problems total.
From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 25 11:02:49 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: ipfw@freebsd.org
Delivered-To: freebsd-ipfw@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id F308216A451
for <ipfw@freebsd.org>; Mon, 25 Jul 2005 11:02:48 +0000 (GMT)
(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id 68EFB43D45
for <ipfw@freebsd.org>; Mon, 25 Jul 2005 11:02:48 +0000 (GMT)
(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6PB2mRs018948
for <ipfw@freebsd.org>; Mon, 25 Jul 2005 11:02:48 GMT
(envelope-from owner-bugmaster@freebsd.org)
Received: (from peter@localhost)
by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6PB2lP9018942
for ipfw@freebsd.org; Mon, 25 Jul 2005 11:02:47 GMT
(envelope-from owner-bugmaster@freebsd.org)
Date: Mon, 25 Jul 2005 11:02:47 GMT
Message-Id: <200507251102.j6PB2lP9018942@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: peter set sender to
owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: ipfw@FreeBSD.org
Cc:
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2005 11:02:49 -0000
Current FreeBSD problem reports
Critical problems
Serious problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu
f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp
o [2003/12/11] kern/60154 ipfw ipfw core (crash)
o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work
f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct
o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe
o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported
f [2004/12/25] i386/75483 ipfw ipfw count does not count
8 problems total.
Non-critical problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w
o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature
o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags
o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo
o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r
o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo
o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp
o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already
o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination
9 problems total.
From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 27 04:00:45 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id BB0C716A425
for <freebsd-ipfw@freebsd.org>; Wed, 27 Jul 2005 04:00:45 +0000 (GMT)
(envelope-from freebsd@wcubed.net)
Received: from mail.datausa.com (mail.datausa.com [216.150.220.134])
by mx1.FreeBSD.org (Postfix) with SMTP id 4833F43EF1
for <freebsd-ipfw@freebsd.org>; Wed, 27 Jul 2005 03:40:43 +0000 (GMT)
(envelope-from freebsd@wcubed.net)
Received: (qmail 91764 invoked from network); 27 Jul 2005 03:32:39 -0000
Received: from web.datausa.com (HELO webmail.wcubed.net) (216.150.220.132)
by mail.datausa.com with SMTP; 27 Jul 2005 03:32:39 -0000
Received: from 67.176.75.179
(SquirrelMail authenticated user freebsd@wcubed.net)
by webmail.wcubed.net with HTTP;
Tue, 26 Jul 2005 21:40:18 -0600 (MDT)
Message-ID: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net>
Date: Tue, 26 Jul 2005 21:40:18 -0600 (MDT)
From: "Brad Waite" <freebsd@wcubed.net>
To: freebsd-ipfw@freebsd.org
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: IPFW + dummynet to lower NNTP traffic priority
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2005 04:00:46 -0000
I've been working on a way to keep my outbound NNTP traffic from
interfering with all other traffic. After reading the ipfw(8) man page
and several other resources (including Luigi Rizzo's page), I thought I
had it down:
### Outbound
ipfw pipe 1 config bw 0K
ipfw queue 1 config weight 1 pipe 1
ipfw queue 2 config weight 100 pipe 1
ipfw add 1000 queue 1 all from any to any out dst-port 119 via fxp0
ipfw add 1001 queue 2 all from any to any out via fxp0
### Inbound
ipfw pipe 2 config bw 0K
ipfw queue 3 config weight 1 pipe 2
ipfw queue 4 config weight 100 pipe 2
ipfw add 1000 queue 3 all from [NNTP server IP] to any in via fxp0
ipfw add 1001 queue 4 all from any to any in via fxp0
My thinking here is that both queues (in each direction) will share all
available bandwidth, but any traffic heading out on port 119 or returning
from the news serverwill be superseded by all other traffic. If there's
no other traffic, NNTP will be able to use all available bandwidth.
It would appear I'm not grasping the concepts. Can anyone tell me what
I'm doing wrong?
Thanks,
Brad Waite
From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 27 09:43:57 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id E5D7A16A41F
for <freebsd-ipfw@freebsd.org>; Wed, 27 Jul 2005 09:43:57 +0000 (GMT)
(envelope-from rizzo@icir.org)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
by mx1.FreeBSD.org (Postfix) with ESMTP id AA11E43D45
for <freebsd-ipfw@freebsd.org>; Wed, 27 Jul 2005 09:43:57 +0000 (GMT)
(envelope-from rizzo@icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j6R9hvsf022624;
Wed, 27 Jul 2005 02:43:57 -0700 (PDT)
(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
by xorpc.icir.org (8.12.11/8.12.3/Submit) id j6R9hvrN022623;
Wed, 27 Jul 2005 02:43:57 -0700 (PDT) (envelope-from rizzo)
Date: Wed, 27 Jul 2005 02:43:57 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: Brad Waite <freebsd@wcubed.net>
Message-ID: <20050727024357.A22601@xorpc.icir.org>
References: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net>;
from freebsd@wcubed.net on Tue, Jul 26, 2005 at 09:40:18PM -0600
Cc: freebsd-ipfw@freebsd.org
Subject: Re: IPFW + dummynet to lower NNTP traffic priority
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2005 09:43:58 -0000
you must put a non-zero bandwidth on the pipe otherwise there is no
scheduling (0 means infinite bandwidth).
Also these are weights not priorities - even if one of the
queues has a very low weight it will still get some
bandwidth proportional to its weight.
cheers
luigi
On Tue, Jul 26, 2005 at 09:40:18PM -0600, Brad Waite wrote:
> I've been working on a way to keep my outbound NNTP traffic from
> interfering with all other traffic. After reading the ipfw(8) man page
> and several other resources (including Luigi Rizzo's page), I thought I
> had it down:
>
> ### Outbound
> ipfw pipe 1 config bw 0K
> ipfw queue 1 config weight 1 pipe 1
> ipfw queue 2 config weight 100 pipe 1
> ipfw add 1000 queue 1 all from any to any out dst-port 119 via fxp0
> ipfw add 1001 queue 2 all from any to any out via fxp0
>
> ### Inbound
> ipfw pipe 2 config bw 0K
> ipfw queue 3 config weight 1 pipe 2
> ipfw queue 4 config weight 100 pipe 2
> ipfw add 1000 queue 3 all from [NNTP server IP] to any in via fxp0
> ipfw add 1001 queue 4 all from any to any in via fxp0
>
> My thinking here is that both queues (in each direction) will share all
> available bandwidth, but any traffic heading out on port 119 or returning
> from the news serverwill be superseded by all other traffic. If there's
> no other traffic, NNTP will be able to use all available bandwidth.
>
> It would appear I'm not grasping the concepts. Can anyone tell me what
> I'm doing wrong?
>
> Thanks,
>
> Brad Waite
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 27 09:47:56 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id B5B5716A41F
for <freebsd-ipfw@freebsd.org>; Wed, 27 Jul 2005 09:47:56 +0000 (GMT)
(envelope-from tataz@tataz.chchile.org)
Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169])
by mx1.FreeBSD.org (Postfix) with ESMTP id 310B843D45
for <freebsd-ipfw@freebsd.org>; Wed, 27 Jul 2005 09:47:56 +0000 (GMT)
(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org
(vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98])
by postfix3-2.free.fr (Postfix) with ESMTP id 35295C0DA;
Wed, 27 Jul 2005 11:47:55 +0200 (CEST)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
id DEDFD405B; Wed, 27 Jul 2005 11:48:19 +0200 (CEST)
Date: Wed, 27 Jul 2005 11:48:19 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Brad Waite <freebsd@wcubed.net>
Message-ID: <20050727094819.GR1610@obiwan.tataz.chchile.org>
References: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3265.67.176.75.179.1122435618.squirrel@webmail.wcubed.net>
User-Agent: Mutt/1.5.9i
Cc: freebsd-ipfw@freebsd.org
Subject: Re: IPFW + dummynet to lower NNTP traffic priority
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2005 09:47:56 -0000
Hi Brad,
On Tue, Jul 26, 2005 at 09:40:18PM -0600, Brad Waite wrote:
> I've been working on a way to keep my outbound NNTP traffic from
> interfering with all other traffic. After reading the ipfw(8) man page
> and several other resources (including Luigi Rizzo's page), I thought I
> had it down:
>
> ### Outbound
> ipfw pipe 1 config bw 0K
> ipfw queue 1 config weight 1 pipe 1
> ipfw queue 2 config weight 100 pipe 1
> ipfw add 1000 queue 1 all from any to any out dst-port 119 via fxp0
> ipfw add 1001 queue 2 all from any to any out via fxp0
>
> ### Inbound
> ipfw pipe 2 config bw 0K
> ipfw queue 3 config weight 1 pipe 2
> ipfw queue 4 config weight 100 pipe 2
> ipfw add 1000 queue 3 all from [NNTP server IP] to any in via fxp0
> ipfw add 1001 queue 4 all from any to any in via fxp0
The rule number are the same for outbound and inbound path, this is an
error I think. I'm not sure about the behaviour of setting the pipe
bandwidth to 0K (further more "K" is not valid in ipfw syntax, and it's
very picky about this, even the case is important IIRC).
You should also be careful if net.inet.ip.fw.one_pass is set to 0,
you will have to use skipto rules.
I advice you to use (values are fictive) :
ipfw pipe 1 config bw 123KBytes/s
ipfw queue 100 config weight 1 pipe 1
ipfw queue 101 config weight 100 pipe 1
ipfw add 100 queue 100 all from any to any out dst-port 119 via fxp0
ipfw add 101 queue 101 all from any to any out via fxp0
ipfw pipe 2 config bw 321KBytes/s
ipfw queue 200 config weight 1 pipe 2
ipfw queue 201 config weight 100 pipe 2
ipfw add 200 queue 200 all from [NNTP server IP] to any in via fxp0
ipfw add 201 queue 201 all from any to any via fxp0
> My thinking here is that both queues (in each direction) will share all
> available bandwidth, but any traffic heading out on port 119 or returning
> from the news serverwill be superseded by all other traffic. If there's
> no other traffic, NNTP will be able to use all available bandwidth.
Note that if you want to use the whole _interface_ bandwidth (100MBits/s),
you can use something like :
ipfw pipe 1 config bw fxp0
> It would appear I'm not grasping the concepts. Can anyone tell me what
> I'm doing wrong?
Nothing really wrong, except the pipe bandwidth.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 28 16:59:48 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@FreeBSD.ORG
Delivered-To: freebsd-ipfw@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id CA6AF16A41F
for <freebsd-ipfw@FreeBSD.ORG>; Thu, 28 Jul 2005 16:59:48 +0000 (GMT)
(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8])
by mx1.FreeBSD.org (Postfix) with ESMTP id 0F5B943D48
for <freebsd-ipfw@FreeBSD.ORG>; Thu, 28 Jul 2005 16:59:47 +0000 (GMT)
(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (ajchob@localhost [127.0.0.1])
by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j6SGxkJo059614
for <freebsd-ipfw@FreeBSD.ORG>; Thu, 28 Jul 2005 18:59:46 +0200 (CEST)
(envelope-from oliver.fromme@secnetix.de)
Received: (from olli@localhost)
by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j6SGxkXx059613;
Thu, 28 Jul 2005 18:59:46 +0200 (CEST) (envelope-from olli)
Date: Thu, 28 Jul 2005 18:59:46 +0200 (CEST)
Message-Id: <200507281659.j6SGxkXx059613@lurza.secnetix.de>
From: Oliver Fromme <olli@lurza.secnetix.de>
To: freebsd-ipfw@FreeBSD.ORG
X-Newsgroups: list.freebsd-ipfw
User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386))
Cc:
Subject: Another bug in IPFW@ ...?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: freebsd-ipfw@FreeBSD.ORG
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2005 16:59:48 -0000
Hi,
I have created an IPFW2 rule set on a router (no NAT).
In one of the rules I wanted to pass packets originating
from the local host (i.e. non-routed) out through a
specific interface, i.e. packets that have _not_ been
received on some interface.
The manual page ipfw(8) says that "recv any" matches
all packets received on some interface, so the logical
conclusion is that "not recv any" would match packets
originating from the host. However, this clause is
ignored completely:
# ipfw add pass ip from $A to $N out not recv any xmit xl0
00900 allow ip from $A to $N out xmit xl0
As you can see, the "not recv any" is ignored. It doesn't
show up in subsequent "ipfw list" output either.
Is this a bug in ipfw? Or is the documentation inaccurate?
How do I match packets like this that originate from the
local host, i.e. that don't have a receive interface?
(Note that the source IP might be spoofed, so only checking
the source IP is not a solution.)
Best regards
Oliver
PS: This is probably not important, but anyway:
$A is the local IP address of the xl0 interface, and $N
is the network connected to that interface, exluding $A.
For example:
$A = 101.102.103.1
$N = 101.102.103.0/27{2-30}
PPS: I read the mailing list, so please do not Cc me.
--
Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"anyone new to programming should be kept as far from C++ as
possible; actually showing the stuff should be considered a
criminal offence" -- Jacek Generowicz
From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 30 00:52:06 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: ipfw@hub.freebsd.org
Delivered-To: freebsd-ipfw@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 8A91116A420;
Sat, 30 Jul 2005 00:52:06 +0000 (GMT)
(envelope-from kris@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id 4520843D45;
Sat, 30 Jul 2005 00:52:06 +0000 (GMT)
(envelope-from kris@FreeBSD.org)
Received: from freefall.freebsd.org (kris@localhost [127.0.0.1])
by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6U0q5II094117;
Sat, 30 Jul 2005 00:52:05 GMT
(envelope-from kris@freefall.freebsd.org)
Received: (from kris@localhost)
by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6U0q5jX094113;
Sat, 30 Jul 2005 00:52:05 GMT (envelope-from kris)
Date: Sat, 30 Jul 2005 00:52:05 GMT
From: Kris Kennaway <kris@FreeBSD.org>
Message-Id: <200507300052.j6U0q5jX094113@freefall.freebsd.org>
To: co0lkizz@btinternet.com, kris@FreeBSD.org, ipfw@FreeBSD.org
Cc:
Subject: Re: kern/64694: [ipfw] UID/GID matching in ipfw non-functional
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jul 2005 00:52:06 -0000
Synopsis: [ipfw] UID/GID matching in ipfw non-functional
State-Changed-From-To: feedback->closed
State-Changed-By: kris
State-Changed-When: Sat Jul 30 00:51:58 GMT 2005
State-Changed-Why:
Feedback timeout
http://www.freebsd.org/cgi/query-pr.cgi?pr=64694