From owner-freebsd-questions@FreeBSD.ORG Fri Oct 22 03:17:02 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55DCA16A4CE for ; Fri, 22 Oct 2004 03:17:02 +0000 (GMT) Received: from hotmail.com (bay18-f20.bay18.hotmail.com [65.54.187.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 332CB43D49 for ; Fri, 22 Oct 2004 03:17:02 +0000 (GMT) (envelope-from jshamlet@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 21 Oct 2004 20:17:01 -0700 Received: from 68.49.59.181 by by18fd.bay18.hotmail.msn.com with HTTP; Fri, 22 Oct 2004 03:16:38 GMT X-Originating-IP: [68.49.59.181] X-Originating-Email: [jshamlet@hotmail.com] X-Sender: jshamlet@hotmail.com From: "Seth Henry" To: freebsd-questions@freebsd.org Date: Thu, 21 Oct 2004 22:16:38 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 22 Oct 2004 03:17:01.0631 (UTC) FILETIME=[990BFCF0:01C4B7E5] Subject: How does ipfilter/ipnat (for filtering) connect to ipfw/dummynet (for QoS)? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 03:17:02 -0000 Guys, I appreciate the help with the DNS problem. Between several folks emailing me with tips or examples, I have managed to get my DNS server up and running. I wish I had saved the address, as there is a very thorough HOWTO for exactly the sort of setup I was describing. BTW - as a tip to those setting up a DNS server on a router that uses dhclient for obtaining a WAN address, add the following to your dhclient.conf file: interface "fxp0" { supersede domain-name "alexandria.homeunix.net"; supersede domain-name-servers 192.168.1.1; } This keeps your resolv.conf file from getting overwritten. Now, onto the question. I have an existing ipfilter/ipnat setup running on my router. I would like to add QoS using ipfw/dummynet. I have found a very nice HOWTO on QoS at http://www.bsdnews.org/02/dummynet.php, and, of course, I have a working ipfilter/ipnat setup. What I don't get is how to chain them together. (yes, I realize routing speed will suffer - but it's a cable modem, and the router is a PIII-1.2GHz with plenty of RAM) So, could someone fill in the gozinta's and gozouta's of this setup? I'm not even sure which should come first. I would assume ipfilter, as it is providing the firewall functionality - but I'm not sure. That said, I'm not sure what to "hook up" ipfw to? The internal I/F, external I/F, some virtual port? That said, I'd even be willing to look into using ipfw/natd as the firewall. My rules aren't that complex - ################################################################# # Outside Interface ################################################################# # FTP interface - allow from work & home only pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 21 flags S keep frags keep state pass in quick on fxp0 proto tcp from xxx.xx.0.0/16 to any port = 21 flags S keep frags keep state # Primary SSH (file server) - allow from work & home only pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 22 flags S keep frags keep state pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 22 flags S keep frags keep state # Router SSH access - allow from work & home only pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 23 flags S keep frags keep state pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 23 flags S keep frags keep state # DNS queries pass in quick on fxp0 proto tcp from any to any port = 53 flags S keep frags keep state # DHCP port - this should be available to the Comcast DHCP server only - but where is it? pass in log quick on fxp0 proto udp from any to any port = 68 keep state # Test port (using POP3 port) from work only pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 110 flags S keep frags keep state # NTP inbound - courtesy to the remote NTP server pass in log quick on fxp0 proto tcp from 192.5.41.0/24 to any port = 123 flags S keep frags keep state pass out quick on fxp0 proto tcp from any to any flags S keep frags keep state pass out quick on fxp0 proto udp from any to any keep state keep frags pass out quick on fxp0 proto icmp from any to any keep state block out quick on fxp0 all block in log quick on fxp0 all ################################################################# # Inside Interfaces ################################################################# pass in quick on xl0 all pass out quick on xl0 all ################################################################# # Loopback Interface ################################################################# pass in quick on lo0 all pass out quick on lo0 all map fxp0 192.168.1.254/24 -> 0/32 proxy port ftp ftp/tcp rdr fxp0 0.0.0.0/0 port 21 -> 192.168.1.2 port 21 tcp rdr fxp0 0.0.0.0/0 port 22 -> 192.168.1.2 port 22 tcp rdr fxp0 0.0.0.0/0 port 110 -> 192.168.1.7 port 110 tcp #below is a irc identd port forwarding example #rdr fxp0 0.0.0.0/0 port 113 -> 192.168.1.5 port 113 tcp map fxp0 192.168.1.254/24 -> 0/32 portmap tcp/udp auto map fxp0 192.168.1.254/24 -> 0/32 Seriously guys, this is the last question (for a while ;) I'm almost there with this gateway router. All I really want to do is make sure my vonage/Cisco ATA has all the bandwidth it wants, and everything else gets what's left. The trick is, I managed to educate myself on ipfilter/ipnat - I almost hate to start over with a new package now. If there is another way to do this - I'm open to that as well. I've been reading about something called ALTQ - but I'm still running 4.10-REL on this machine. I hesitate to upgrade until 5-STABLE is out. Thanks, Seth Henry _________________________________________________________________ Get ready for school! Find articles, homework help and more in the Back to School Guide! http://special.msn.com/network/04backtoschool.armx