From owner-freebsd-pf@freebsd.org Mon Jul 29 17:51:43 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CC1ABB0CB4 for ; Mon, 29 Jul 2019 17:51:43 +0000 (UTC) (envelope-from SRS0=7zkE=V2=vega.codepro.be=kp@codepro.be) Received: from mercury.codepro.be (mercury.codepro.be [IPv6:2001:4b98:dc0:41:216:3eff:fe31:eda8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "monitoring.codepro.be", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 83A5B8CE01 for ; Mon, 29 Jul 2019 17:51:43 +0000 (UTC) (envelope-from SRS0=7zkE=V2=vega.codepro.be=kp@codepro.be) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) by mercury.codepro.be (Postfix) with ESMTPS id 4D994904EB; Mon, 29 Jul 2019 17:49:41 +0000 (UTC) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 55C9B3E9B7; Mon, 29 Jul 2019 19:51:34 +0200 (CEST) Received: by vega.codepro.be (Postfix, from userid 1001) id 51E6F2C8BB; Mon, 29 Jul 2019 19:51:34 +0200 (CEST) Date: Mon, 29 Jul 2019 19:51:34 +0200 From: Kristof Provost To: Paul Webster Cc: mike tancsa , "freebsd-pf@freebsd.org" Subject: Re: pf and dummynet Message-ID: <20190729175134.GE10541@vega.codepro.be> References: <5d3f305f.1c69fb81.90047.531f@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <5d3f305f.1c69fb81.90047.531f@mx.google.com> X-Checked-By-NSA: Probably User-Agent: Mutt/1.11.4 (2019-03-13) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 17:51:43 -0000 > On 2019-07-29 18:44:00 (+0100), Paul Webster via freebsd-pf wrote: > > > > Sent from Mail for Windows 10 > > > > From: mike tancsa > > Sent: 29 July 2019 17:06 > > To: freebsd-pf@freebsd.org > > Subject: pf and dummynet > > > > I have a box I need to shape inbound and outbound traffic. It seems altq > > can only shape outbound packets and not limit inbound ?  If thats the > > case, what is the current state of mixing ipfw, dummynet and pf ? > > Writing large complex firewall rules works better from a readability POV > > (for us anyways) so I really prefer to use it. But I need to prevent zfs > > replication eating up BW over some WAN links, and dummynet seems to > > "just work" > > > > For ipfw I have > > > > > > 00010 6640359 9959147882 pipe 1 tcp from 192.168.128.0/20 to any > > 01000 3486901  228480912 allow ip from any to any > > > > and then checking my pf.conf rules, it seems to block and pass traffic > > as expected.  > > > > Is there anything I should explicitly check ? > > > You can mix ipfw and pf, but beware of the order they are loaded (The > first one loaded is inside the second one loaded) – it may be better > in fact to compile them both in the kernel. > > You basically end up with: (pf)(ipfw)(system)(ipfw)(pf) – assuming pf > was loaded first Also beware of gotchas with things like IPv6 fragment handling or route-to. I do not consider mixing firewalls to be a supported configuration. If it breaks you get to keep the pieces. Regards, Kristof