Date: Mon, 26 May 2014 05:20:01 GMT From: venture37 <venture37@geeklan.co.uk> To: freebsd-doc@FreeBSD.org Subject: Re: docs/116588: No IPFW tables or dummynet in Handbook Message-ID: <201405260520.s4Q5K1jY078412@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR docs/116588; it has been noted by GNATS.
From: venture37 <venture37@geeklan.co.uk>
To: bug-followup@FreeBSD.org, cristi@net.utcluj.ro
Cc:
Subject: Re: docs/116588: No IPFW tables or dummynet in Handbook
Date: Mon, 26 May 2014 06:11:45 +0100
This is a multi-part message in MIME format.
--------------080201090104010609090803
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Attached is an updated diff which adds instructions for dummynet &
utilising tables alongside adjustments highlighted by igor.
One issue which I was unable to fix was
450:bad tag indent: <para>By default, <application>PF</application>
reads its
--------------080201090104010609090803
Content-Type: text/plain; charset=UTF-8;
name="ipfw.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="ipfw.txt"
Index: en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
===================================================================
--- en_US.ISO8859-1/books/handbook/firewalls/chapter.xml (revision 44952)
+++ en_US.ISO8859-1/books/handbook/firewalls/chapter.xml (working copy)
@@ -398,7 +398,7 @@
<!--
This is no longer true as of 9.x. It also references the CARP section
-which doesn't explain how to use it...At some point it should.
+which does not explain how to use it...At some point it should.
<indexterm>
<primary>kernel options</primary>
<secondary>device pf</secondary>
@@ -447,18 +447,17 @@
</note>
-->
- <para>By default, <application>PF</application> reads its
- configuration rules from <filename>/etc/pf.conf</filename> and
- modifies, drops, or passes packets according to the rules or
- definitions specified in this file. The &os; installation
- includes several sample files located in
- <filename>/usr/share/examples/pf/</filename>. Refer to the
- <link xlink:href="http://www.openbsd.org/faq/pf/">PF
- FAQ</link> for complete coverage
- of <application>PF</application> rulesets.</para>
+<para>By default, <application>PF</application> reads its
+ configuration rules from <filename>/etc/pf.conf</filename> and
+ modifies, drops, or passes packets according to the rules or
+ definitions specified in this file. The &os; installation includes
+ several sample files located in
+ <filename>/usr/share/examples/pf/</filename>. Refer to the <link
+ xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> for
+ complete coverage of <application>PF</application> rulesets.</para>
- <para>To control <application>PF</application>, use
- <command>pfctl</command>. <xref linkend="pfctl"/> summarizes
+<para>To control <application>PF</application>, use
+ <command>pfctl</command>. <xref linkend="pfctl"/> summarizes
some useful options to this command. Refer to &man.pfctl.8;
for a description of all available options:</para>
@@ -1702,8 +1701,9 @@
firewall rules.</para>
</listitem>
<listitem>
- <para><filename><replaceable>filename</replaceable></filename>: full path of the file
- containing the firewall ruleset.</para>
+ <para><filename><replaceable>filename</replaceable></filename>:
+ full path of the file containing the firewall
+ ruleset.</para>
</listitem>
</itemizedlist>
@@ -2312,7 +2312,7 @@
<para>On the inbound side, the ruleset has to deny bad packets
and allow only authorized services. A packet which matches an
inbound rule is posted to the dynamic state table and the
- packet is released to the <acronym>LAN</acronym>. The packet
+ packet is released to the <acronym>LAN</acronym>. The packet
generated as a response is recognized by the
<literal>check-state</literal> rule as belonging to an
existing session. It is then sent to rule
@@ -2614,12 +2614,192 @@
&prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen>
</sect3>
</sect2>
- </sect1>
- <sect1 xml:id="firewalls-ipf">
- <title>IPFILTER (IPF)</title>
+ <sect2 xml:id="firewalls-ipfw-dummynet">
+ <title>Using Dummynet</title>
- <indexterm>
+ <para>&man.dummynet.4; is a traffic shaper, bandwidth manager
+ and delay emulator which may be used to simulate different
+ types of physical links. It can also be "misused"
+ as a traffic shaper.</para>
+
+ <para>&man.dummynet.4; offers two objects. Pipes are an
+ abstraction of a given link, having a certain bandwidth, delay
+ and loss. Queues are an abstraction used to implement
+ weighted fair queuing. In practice, pipes can be used to set
+ hard limits to the bandwidth that a flow can use, wheres
+ queues can be used to determine how different flows share that
+ bandwidth.</para>
+
+ <para>To ensure that &man.dummynet.4; is loaded at boot time add
+ the following line to
+ <filename>/boot/loader.conf</filename>:</para>
+
+ <programlisting>dummynet_load="YES"</programlisting>
+
+ <para>Please note that in order for &man.dummynet.4; to work
+ correctly, it is highly recommended to increase the system
+ clock tick rate. This can be accomplished by adding the
+ following option to kernel configuration files.</para>
+
+ <programlisting>options HZ=1000</programlisting>
+
+ <para>Use the following command to configure a pipe which has
+ 4Kbps and a 100ms delay:</para>
+
+ <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s delay 100</userinput></screen>
+
+ <para>To use this pipe, i.e have some traffic go through it,
+ use the following command:</para>
+
+ <screen>&prompt.root; <userinput>ipfw -q add pipe 10 all from 10.0.0.0/24 to any</userinput></screen>
+
+ <para>Please note that to properly limit users, one should
+ create separate pipes for upload and download.</para>
+
+ <para>Using the above pipe configuration, all LAN users compete
+ for the same bandwidth. If you would like to assign each of
+ them 4Kbps upload and download, you may create dynamic pipes
+ based on the source IP (for uplink) or destination IP (for
+ downlink):</para>
+
+ <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s src-ip 0xffffffff</userinput>
+&prompt.root; <userinput>ipfw pipe 11 config bw 4Kbit/s dst-ip 0xffffffff</userinput>
+&prompt.root; <userinput>ipfw -q add pipe 10 all from any to any recv $if_lan</userinput>
+&prompt.root; <userinput>ipfw -q add pipe 11 all from any to any xmit $if_lan</userinput></screen>
+ </sect2>
+
+ <sect2 xml:id="firewalls-ipfw-tables">
+ <title>Using Tables</title>
+
+ <para>Tables are a way of referring to multiple IP addresses
+ using a single identifier. They are useful in the following
+ situations:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>you must apply the same rule to a lot of IP
+ addresses (table lookups are fast)</para>
+ </listitem>
+ <listitem>
+ <para>you must apply a lot of rules to some IP addresses
+ (use tables to add / remove IP addresses from a single
+ location in the ruleset)</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>IP addresses stored in a table may also have an optional
+ 32-bit unsigned value assigned to them. A rule may be written
+ in such a way that it will only match if the IP found in
+ a table has been assigned a specific value.</para>
+
+ <para>These are the commands used to manipulate tables from the
+ shell:</para>
+
+ <para>Clear all IP addresses from a table:</para>
+
+ <screen>&prompt.root; <userinput>ipfw table 10 flush</userinput></screen>
+
+ <para>Add a single IP address to a table:</para>
+
+ <screen>&prompt.root; <userinput>ipfw table 10 add 172.27.0.1</userinput></screen>
+
+ <para>Add a CIDR network to a table:</para>
+
+ <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24</userinput></screen>
+
+ <para>Add a CIDR network to a table and also assign a value to
+ it:</para>
+
+ <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24 100</userinput></screen>
+
+ <para>List the contents of a table:</para>
+
+ <screen>&prompt.root; <userinput>ipfw table 10 list</userinput></screen>
+
+ <para>To use the table in a firewall rule:</para>
+
+ <screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10)" to any</userinput></screen>
+
+ <para>Or, to use the table and the value in a firewall
+ rule:</para>
+
+ <screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10,100)" to any</userinput></screen>
+
+ <para>The following listing is an example of how one could use
+ tables in a ruleset:</para>
+
+ <programlisting>#!/bin/sh
+# Flush out the list before we begin.
+ipfw -q -f flush
+
+# Set rules command prefix
+cmd="ipfw -q add"
+table="ipfw -q table"
+
+# Create a table with all IPs allowed to connect to SSH
+$table 1 flush # required
+$table 1 add 172.27.0.1 # single IP address
+$table 1 add 192.168.0.0/24 # CIDR network
+
+# Actual rule which allows SSH
+$cmd allow from "table(1)" to me 22 keep-state
+
+# Deny everything else
+$cmd deny from any to any</programlisting>
+
+ <para>Here is another example, in which tables and values are
+ used to group clients into multiple bandwidth limitations
+ depending on their subscription:</para>
+
+ <programlisting>#!/bin/sh
+# Flush out the list before we begin.
+ipfw -q -f flush
+
+# Set rules command prefix
+cmd="ipfw -q add"
+table="ipfw -q table"
+pipe="ipfw -q pipe"
+if_net="em0"
+
+#
+# Pipes
+#
+
+# Please note that dynamic pipes will be created for each client.
+# In other words, clients DO NOT compete for the bandwidth.
+
+# First subscription rate.
+$pipe 10 config queue 10 bw 512Kbit/s mask src-ip 0xffffffff # uplink
+$pipe 11 config queue 10 bw 512Kbit/s mask dst-ip 0xffffffff # downlink
+
+# Second subscription rate.
+$pipe 20 config queue 10 bw 768Kbit/s mask src-ip 0xffffffff # uplink
+$pipe 21 config queue 10 bw 768Kbit/s mask dst-ip 0xffffffff # downlink
+
+# Create a table with all IPs allowed to have Internet connection.
+# Note that although it is not required, values are the same
+# as the bandwidth which will be given to the client.
+$table 1 flush # required
+$table 1 add 172.27.0.2 512 # 512Kbps client
+$table 1 add 172.27.0.3 768 # 768Kbps client
+$table 1 add 172.27.0.4 512 # 512Kbps client
+
+# Actual rules which classify the traffic
+$cmd pipe 10 all from "table(1,512)" to any xmit $if_net
+$cmd pipe 11 all from any to "table(1,512)" recv $if_net
+$cmd pipe 20 all from "table(1,768)" to any xmit $if_net
+$cmd pipe 21 all from any to "table(1,768)" recv $if_net
+
+# Deny everything else
+$cmd deny all from any to any</programlisting>
+ </sect2>
+ </sect1>
+
+ <sect1 xml:id="firewalls-ipf">
+ <title>IPFILTER (IPF)</title>
+
+ <indexterm>
<primary>firewall</primary>
<secondary><application>IPFILTER</application></secondary>
--------------080201090104010609090803--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405260520.s4Q5K1jY078412>