Date: Sat, 15 Mar 2008 21:00:56 +0000 From: "Jay L. T. Cornwall" <jay@jcornwall.me.uk> To: freebsd-questions@freebsd.org Subject: IPFW / Dummynet problem Message-ID: <47DC3908.2000604@jcornwall.me.uk>
next in thread | raw e-mail | index | archive | help
Hi, My FreeBSD machine is configured as a bridge between two networks: |-----| |-----| | LAN | ---> vr0 <--bridge0--> vr1 --> | WAN | |-----| |-----| The following firewall ruleset works fine: add 00600 allow all from any to any via vr0 keep-state add 00610 allow tcp from any to any 22 in via vr1 setup keep-state add 00611 allow tcp from any to any 23 in via vr1 setup keep-state add 00612 allow tcp from any to any 113 in via vr1 setup keep-state add 00613 allow icmp from any to any icmptypes 11 add 00620 check-state add 00630 deny all from any to any via vr1 add 00640 allow all from 192.168.1.30 to any add 00641 allow all from any to 192.168.1.30 I then add the following dummynet rules before these. The LAN continues to work (queueing is only applied to the vr1 WAN interface), the WAN continues to work from the bridge machine itself (192.168.1.30) but outbound HTTP connections from any client on the LAN fail. pipe 1 config bw 2Mbit/s queue 1 pipe 2 config bw 256Kbit/s queue 1 queue 1 config weight 10 pipe 1 queue 20 mask dst-ip 0xffffffff queue 2 config weight 10 pipe 2 queue 20 mask src-ip 0xffffffff queue 3 config weight 2 pipe 1 queue 100 mask dst-ip 0xffffffff queue 4 config weight 2 pipe 2 queue 10 mask src-ip 0xffffffff queue 5 config weight 1 pipe 1 queue 100 mask dst-ip 0xffffffff queue 6 config weight 1 pipe 2 queue 10 mask src-ip 0xffffffff add 00500 queue 1 tcp from any to any in via vr1 tcpflags ack iplen 0-52 add 00501 queue 2 tcp from any to any out via vr1 tcpflags ack iplen 0-52 add 00510 queue 3 udp from any to any in via vr1 add 00511 queue 4 udp from any to any out via vr1 add 00512 queue 3 tcp from any to any 22 in via vr1 add 00513 queue 4 tcp from any to any 22 out via vr1 add 00514 queue 3 tcp from any to any 993 in via vr1 add 00515 queue 4 tcp from any to any 993 out via vr1 add 00520 queue 5 all from any to any in via vr1 add 00521 queue 6 all from any to any out via vr1 I don't understand how queueing rules could affect the passing of any packet, except in delay? They do seem to match the queueing rules, e.g. rules 00520 and 00521 accumulate packets as connection attempts are made. Outbound packets even seem to pass to the WAN, so I can only assume it is an inbound/stateful problem? 00100 52 4548 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00500 30 1420 queue 1 tcp from any to any in via vr1 tcpflags ack iplen 0-52 00501 9 390 queue 2 tcp from any to any out via vr1 tcpflags ack iplen 0-52 00510 2 152 queue 3 udp from any to any in via vr1 00511 7 528 queue 4 udp from any to any out via vr1 00512 0 0 queue 3 tcp from any to any dst-port 22 in via vr1 00513 0 0 queue 4 tcp from any to any dst-port 22 out via vr1 00514 0 0 queue 3 tcp from any to any dst-port 993 in via vr1 00515 18 1228 queue 4 tcp from any to any dst-port 993 out via vr1 00520 26 1988 queue 5 ip from any to any in via vr1 00521 17 964 queue 6 ip from any to any out via vr1 00600 163 10082 allow ip from any to any via vr0 keep-state 00610 0 0 allow tcp from any to any dst-port 22 in via vr1 setup keep-state 00611 0 0 allow tcp from any to any dst-port 23 in via vr1 setup keep-state 00612 0 0 allow tcp from any to any dst-port 113 in via vr1 setup keep-state 00613 0 0 allow icmp from any to any icmptypes 11 00620 0 0 check-state 00630 0 0 deny ip from any to any via vr1 00640 405 102681 allow ip from 192.168.1.30 to any 00641 647 48255 allow ip from any to 192.168.1.30 65535 18 3086 deny ip from any to any Thanks for any light you can shed on this. -- Jay L. T. Cornwall http://www.jcornwall.me.uk/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47DC3908.2000604>