Date: Mon, 17 Jan 2011 23:17:52 +0500 From: "Fazal Ahmed Malik" <fam@sky.net.pk> To: <freebsd-ipfw@freebsd.org> Subject: transparent squid and ipfw Message-ID: <0C410D9FC67644B397092B0709802DC9@fam>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_0007_01CBB69C.C37A80D0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Dear All,
=20
I have problem in setting up transparent squid and ipfw dummynet =
together on freebsd. I sent this question earlier but yet no luck to =
implement. I am using mpd5 for pppoe server and have addclient script =
which limit the user bandwidth(working perfect) now i want my all =
traffic redirected to squid transparently mean users does not need to =
configure their browser for proxy. When i redirect port 80 traffic to =
squid than bandwidth does not get controlled mean dummy net pipe is no =
more effective.
I have following ipfw rules and also addclient script is attached any =
body having implemented such solution please help.
00002 157925 116380443 divert 8668 ip from any to any via xl0
00997 fwd 192.168.3.50,8080 $log tcp from any to any 80 in recv $vpn_if
00048 6 288 deny tcp from any to any dst-port 445 out via xl0
00049 0 0 deny tcp from any to any dst-port 445 in via xl0
00050 0 0 deny tcp from any to any dst-port 137 in via xl0
00051 0 0 deny tcp from any to any dst-port 138 in via xl0
00052 0 0 deny tcp from any to any dst-port 139 in via xl0
00053 0 0 allow tcp from any to any dst-port 20 setup
00054 0 0 allow tcp from any to any dst-port 21 setup
00055 0 0 allow tcp from any to any dst-port 22 setup
00056 5 240 allow tcp from any to any dst-port 23 setup
00999 287274 228262006 allow tcp from any to any out keep-state
01003 1298 140582 pipe 3 ip from 192.168.3.80 to any via ng0
01005 3654 409511 pipe 5 ip from 192.168.3.81 to any via ng1
03000 772 52308 allow icmp from me to any
04000 394 26536 allow icmp from any to any
65535 33414 5509180 allow ip from any to any
Best regards,
Fazal Ahmed Malik
------=_NextPart_000_0007_01CBB69C.C37A80D0
Content-Type: application/octet-stream;
name="addclient.sh"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="addclient.sh"
#!/bin/sh=0A=
user=3D$5 #grab args off the command line (USER, type, HISADDR, =
INTERFACE)=0A=
type=3D$2=0A=
clientip=3D$4=0A=
int=3D$1=0A=
fwcmd=3D/sbin/ipfw #specify firewall command=0A=
=0A=
usernum1=3D${int#ng}=0A=
usernum=3D`expr $usernum1 + 1`=0A=
inkbps=3D`grep -w ""$user"" /usr/local/etc/mpd5/bandwidth.conf | cut -d" =
" -f2` #grab max inbound throughput=0A=
outkbps=3D`grep -w ""$user"" /usr/local/etc/mpd5/bandwidth.conf | cut =
-d" " -f3` #grab max outbound throughput=0A=
if [ -z $usernum ]; then #if no usernum=0A=
currentusers=3D`wc -l /usr/local/etc/mpd5/bandwidth.conf | cut -d " " =
-f8` =0A=
#count the lines in the file=0A=
usernum=3D`expr $currentusers + 1` #add one to the count of lines=0A=
echo newusernum: $usernum=0A=
fi=0A=
=0A=
if [ -z $outkbps ]; then #if no inkbps, default to 1024kbps=0A=
outkbps=3D1024=0A=
echo newoutkbps: $outkbps=0A=
fi=0A=
if [ -z $inkbps ]; then #if no outkbps, default to 1024kbps=0A=
inkbps=3D1024=0A=
echo newinkbps: $inkbps=0A=
fi=0A=
pipein=3D`echo $usernum*2 | bc` #the firewall pipe and rule numbers=0A=
pipeout=3D`expr $pipein + 1` #get seeded by the usernumber=0A=
fwrulein=3D`expr $pipein + 1000`=0A=
fwruleout=3D`expr $fwrulein + 1`=0A=
fwholein=3D`expr $pipein + 33000`=0A=
fwholeout=3D`expr $fwholein + 1`=0A=
$fwcmd pipe $pipein config bw ${inkbps}Kbit/s=0A=
#make an inbound pipe of the right size=0A=
$fwcmd pipe $pipeout config bw ${outkbps}Kbit/s =0A=
#same for outgoing=0A=
#$fwcmd add $fwrulein pipe $pipein ip from any to $clientip in =
=0A=
#force traffic through the correct pipe=0A=
$fwcmd add $fwruleout pipe $pipeout ip from $clientip to any via $int =0A=
#$fwcmd add $fwruleout pipe $pipeout ip from $clientip to any out =0A=
#$fwcmd add $fwholein permit ip from any to $clientip =0A=
#allow that traffic through firewall=0A=
#$fwcmd add $fwholeout permit ip from $clientip to any =0A=
echo `date`,$usernum,$user,$type,$clientip,$int,$inkbps,$outkbps >> =
/var/log/mpd.output=0A=
=0A=
# -------------- end addclient.sh file ----------=0A=
=0A=
=0A=
=0A=
------=_NextPart_000_0007_01CBB69C.C37A80D0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0C410D9FC67644B397092B0709802DC9>