From owner-freebsd-net@FreeBSD.ORG Wed Nov 30 10:47:33 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5506D106566B for ; Wed, 30 Nov 2011 10:47:33 +0000 (UTC) (envelope-from gpm@hotplug.ru) Received: from gate.pikinvest.ru (gate.pikinvest.ru [87.245.155.170]) by mx1.freebsd.org (Postfix) with ESMTP id 012E48FC08 for ; Wed, 30 Nov 2011 10:47:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mailgate.pik.ru (Postfix) with ESMTP id DDB021C0880; Wed, 30 Nov 2011 14:47:31 +0400 (MSK) Received: from EX21PIK.PICompany.ru (unknown [192.168.156.131]) by mailgate.pik.ru (Postfix) with ESMTP id D92DB1C087B; Wed, 30 Nov 2011 14:47:31 +0400 (MSK) Received: from [192.168.148.9] (192.168.148.9) by EX21PIK.PICompany.ru (192.168.156.131) with Microsoft SMTP Server id 14.1.218.12; Wed, 30 Nov 2011 14:46:31 +0400 Message-ID: <4ED60967.2000201@hotplug.ru> Date: Wed, 30 Nov 2011 14:45:59 +0400 From: Emil Muratov User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.23) Gecko/20110922 Thunderbird/3.1.15 MIME-Version: 1.0 To: Marek Salwerowicz References: <4E412116.1070305@wp.pl> <4E422A74.3090601@wp.pl> <4E7B450F.5050802@wp.pl> <4E84B447.7010509@wp.pl> <4E84DE26.6030103@misal.pl> <4E85D8CB.6010104@wp.pl> <4E876705.3040806@wp.pl> <4ED40CF7.2040005@wp.pl> In-Reply-To: <4ED40CF7.2040005@wp.pl> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Freddie Cash Subject: Re: ipfw - accessing DMZ from LAN , pipes X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2011 10:47:33 -0000 On 29.11.2011 02:36, Marek Salwerowicz wrote: > Hello after a longer break ;) > > W dniu 2011-10-01 22:02, Freddie Cash pisze: >> >> >> However, you could setup split-DNS or views and just configure >> everything to >> connect using hostnames. It's extra work to setup, but does make things >> easier down-the-road. > I've set up the DNS with views and since one month everything has been > working perfectly (I set up the firewall at small net5501 soekris box) > - thanks a lot for your help ! > > I am confused about one thing - I wanted to set up pipes for my DMZ > hosts (not to allow my hosts to consume all the bandwidth). > When I set up the pipes at the beginning of my firewall (before > configuring the NAT) - the whole traffic is blocked. > When I set up the pipes ad the end of firewall - they don't work (even > 'ipfw show' shows no packets coming through 'pipe' rules). > This happens 'cause pipe directive "permits" packet by default and it never reaches nat rule afterward. I would recommend you the following approach: first take a look at what a sysctl net.inet.ip.fw.one_pass=0 does. The default value of 1 makes rules like pipe,nat or netgraph behave as accept if packet is returned from pipe. If this var is set to 0 than a packet returned from pipe continues processing from the next rule after the one it was returned from. So with the nat for outgoing traffic it would be nice to pipe it before nat changes src addresses and on the contrary for ingoing traffic pipe it only after nat dealiases dst address. With this approach you will be able to classify your packets with their real unmasked addresses and build more flexible shaping rules. For ex. this config will allow you to distribute available bandwidth of the pipe evenly among all your dmz hosts and not to hog it all by one aggressive host. sysctl net.inet.ip.fw.one_pass=0 $ipfw pipe 100 config bw 5Mbit/s queue 50 $ipfw queue 200 config pipe 100 mask src-ip 0xffffffff $ipfw queue 200 ip from $dmz_subnet to any out xmit $if_wan $ipfw nat 100 ip from $dmz_subnet to any out xmit $if_wan $ipfw allow ip from $natip to any out xmit $if_wan > Where should be the pipe rules placed? > Does it matter if I do first 'ipfw add pipe 1...' and then 'ipfw pipe > 1 config...' ? >