Date: Wed, 30 Nov 2011 14:45:59 +0400 From: Emil Muratov <gpm@hotplug.ru> To: Marek Salwerowicz <marek_sal@wp.pl> Cc: freebsd-net@freebsd.org, Freddie Cash <fjwcash@gmail.com> Subject: Re: ipfw - accessing DMZ from LAN , pipes Message-ID: <4ED60967.2000201@hotplug.ru> In-Reply-To: <4ED40CF7.2040005@wp.pl> References: <4E412116.1070305@wp.pl> <CAOjFWZ4B3uUfOLAzL=B1WY98rqi6X32j7FM61VjJ3td76NkADg@mail.gmail.com> <4E422A74.3090601@wp.pl> <CAOjFWZ5CK62nQMA8JsfW1b4BQh3hAJbAAynortzaUBqSWBwdSQ@mail.gmail.com> <4E7B450F.5050802@wp.pl> <CAOjFWZ6wf9NnVeffUV4uA6h1t-1T8juxXycZbM7%2BGgpFC-HkUg@mail.gmail.com> <4E84B447.7010509@wp.pl> <CAOjFWZ4XOU2dT3%2BL6AJeUNO7QcC=0ymLXN3GMkzCuoB3a1Qyew@mail.gmail.com> <4E84DE26.6030103@misal.pl> <4E85D8CB.6010104@wp.pl> <CAOjFWZ6xZ5bDcm6aAVvwz47rmYLEqSyKO5Bzg3aQPHS-o98w_w@mail.gmail.com> <4E876705.3040806@wp.pl> <CAOjFWZ7LV3z=22mPLXw-T0W6dJCfVVZ9Q%2Bd%2BKxg1VFdM51eLww@mail.gmail.com> <4ED40CF7.2040005@wp.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29.11.2011 02:36, Marek Salwerowicz wrote: > Hello after a longer break ;) > > W dniu 2011-10-01 22:02, Freddie Cash pisze: >> >> >> However, you could setup split-DNS or views and just configure >> everything to >> connect using hostnames. It's extra work to setup, but does make things >> easier down-the-road. > I've set up the DNS with views and since one month everything has been > working perfectly (I set up the firewall at small net5501 soekris box) > - thanks a lot for your help ! > > I am confused about one thing - I wanted to set up pipes for my DMZ > hosts (not to allow my hosts to consume all the bandwidth). > When I set up the pipes at the beginning of my firewall (before > configuring the NAT) - the whole traffic is blocked. > When I set up the pipes ad the end of firewall - they don't work (even > 'ipfw show' shows no packets coming through 'pipe' rules). > This happens 'cause pipe directive "permits" packet by default and it never reaches nat rule afterward. I would recommend you the following approach: first take a look at what a sysctl net.inet.ip.fw.one_pass=0 does. The default value of 1 makes rules like pipe,nat or netgraph behave as accept if packet is returned from pipe. If this var is set to 0 than a packet returned from pipe continues processing from the next rule after the one it was returned from. So with the nat for outgoing traffic it would be nice to pipe it before nat changes src addresses and on the contrary for ingoing traffic pipe it only after nat dealiases dst address. With this approach you will be able to classify your packets with their real unmasked addresses and build more flexible shaping rules. For ex. this config will allow you to distribute available bandwidth of the pipe evenly among all your dmz hosts and not to hog it all by one aggressive host. sysctl net.inet.ip.fw.one_pass=0 $ipfw pipe 100 config bw 5Mbit/s queue 50 $ipfw queue 200 config pipe 100 mask src-ip 0xffffffff $ipfw queue 200 ip from $dmz_subnet to any out xmit $if_wan $ipfw nat 100 ip from $dmz_subnet to any out xmit $if_wan $ipfw allow ip from $natip to any out xmit $if_wan > Where should be the pipe rules placed? > Does it matter if I do first 'ipfw add pipe 1...' and then 'ipfw pipe > 1 config...' ? >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ED60967.2000201>