From owner-freebsd-stable@FreeBSD.ORG  Thu Feb 13 17:30:20 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 480CBE14
 for <freebsd-stable@freebsd.org>; Thu, 13 Feb 2014 17:30:20 +0000 (UTC)
Received: from mail-la0-x22a.google.com (mail-la0-x22a.google.com
 [IPv6:2a00:1450:4010:c03::22a])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 2AAB51BAC
 for <freebsd-stable@freebsd.org>; Thu, 13 Feb 2014 17:30:18 +0000 (UTC)
Received: by mail-la0-f42.google.com with SMTP id hr13so8473346lab.15
 for <freebsd-stable@freebsd.org>; Thu, 13 Feb 2014 09:30:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=/lhkzZgXgf76WQhlRxuS2e+IDOyfHhAVnjhEaPwADjk=;
 b=S049W2DZmuVUqNylWtPUnmI3WT57496bJ8vEcBi/bmCuVnMhQhpkDDxE3z9zbw4iY9
 uaifwcEhDgDCPZjpzOtTWbD3X3eje3tcKafgiF2xrgyLEmrRUTazfczuSD8HrV4H7dor
 ihSU48yLh+1T8NYroD1DRHHGfRTBPP59myKdgyKG0s7yu+llvjE1GJW40lzaQIrNTvKX
 ZfwYK8CSuzTCLsE1poTe7ZChcVSZOirEAANk7PWgC1zeHZ+jle3PQD0CXaNzyu9yezYl
 PLiqDAXdtM0fsh+9o6CywSMTElVPLzWdb7v1WpMKbv3vP29pBQiZ1v1htr6oybxNFh3J
 n4fQ==
MIME-Version: 1.0
X-Received: by 10.152.27.193 with SMTP id v1mr1913248lag.4.1392312617085; Thu,
 13 Feb 2014 09:30:17 -0800 (PST)
Sender: rizzo.unipi@gmail.com
Received: by 10.115.4.162 with HTTP; Thu, 13 Feb 2014 09:30:17 -0800 (PST)
In-Reply-To: <52FCFB8C.1030800@bsdinfo.com.br>
References: <52FCFB8C.1030800@bsdinfo.com.br>
Date: Thu, 13 Feb 2014 09:30:17 -0800
X-Google-Sender-Auth: wg2M-BXp8_UiM5a-gGlUM6T3o0w
Message-ID: <CA+hQ2+ifNHQjgHe1G_jsTfwqRTaqMUABKaP6B7Ei=W02_-mDAw@mail.gmail.com>
Subject: Re: dummynet problem in FreeBSD 10.0-STABLE
From: Luigi Rizzo <rizzo@iet.unipi.it>
To: Marcelo Gondim <gondim@bsdinfo.com.br>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2014 17:30:20 -0000

hi,
do you have the dummynet module loaded ?
what does "ipfw pipe show" say, before and
after the pipe's configuration ?

cheers
luigi



On Thu, Feb 13, 2014 at 9:06 AM, Marcelo Gondim <gondim@bsdinfo.com.br>wrote:

> Hi all,
>
> The following rules do not work anymore and block access to outside:
>
> ipfw add pipe 1 ip from 67.xxx.89.78 to any 80 out via xn0
> ipfw add pipe 2 ip from any 80 to 67.xxx.89.78 in via xn0
> ipfw pipe 1 config bw 1024Kbit/s queue 128 burst 2M
> ipfw pipe 2 config bw 1024Kbit/s queue 128 burst 2M
>
> Using these rules on the server, I can not surf the Internet through the
> server. In FreeBSD 9.x these rules worked.
> Doing: links http://www.any_website.com not work
>
> My Firewall rules:
> # ipfw show
>
> 00100 67191 13584242 allow ip from any to any via lo0
> 00200     0        0 deny ip from 127.0.0.0/8 to any
> 00300     0        0 deny ip from any to 127.0.0.0/8
> 00400     0        0 check-state
> 00500     0        0 deny ip from 192.168.0.0/16 to any in via xn0
> 00600     0        0 deny ip from 10.0.0.0/8 to any in via xn0
> 00700     0        0 deny ip from 172.16.0.0/12 to any in via xn0
> 00800     0        0 deny ip from 224.0.0.0/4 to any in via xn0
> 00900     0        0 deny ip from 255.255.255.255 to any in via xn0
> 01000     0        0 deny tcp from any to any in tcpflags fin,psh,urg recv
> xn0
> 01100     0        0 deny tcp from any to any in tcpflags
> !syn,!fin,!ack,!psh,!rst,!urg recv xn0
> 01200     0        0 deny tcp from any to any in tcpflags syn,fin recv xn0
> 01300     0        0 deny tcp from any to any in tcpflags fin,rst recv xn0
> 01400     0        0 deny ip from any to any in ipoptions ssrr,lsrr,rr,ts
> recv xn0
> 01500 78     2496 deny ip from table(99) to any in via xn0
> 01600     0        0 deny ip from table(1) to any
>
> 01700   276    16560 pipe 1 ip from 67.xxx.89.78 to any dst-port 80 out
> via xn0
> 01800     3      144 pipe 2 ip from any 80 to 67.xxx.89.78 in via xn0
>
> 01900     4      276 allow icmp from any to any icmptypes 3,11,12
> 02000     0        0 allow icmp from me to any icmptypes 0,8 keep-state
> 02100     1       75 deny icmp from any to any
> 02200  2226   298340 allow tcp from any to me dst-port 4321 in via xn0
> setup keep-state
> 02300  1997   768000 allow tcp from any to me dst-port 995 in via xn0
> setup keep-state
> 02400  1363   519377 allow tcp from any to me dst-port 25 in via xn0 setup
> keep-state
> 02500   733   549931 allow tcp from any to me dst-port 587 in via xn0
> setup keep-state
> 02600  8952  8756999 allow tcp from any to me dst-port 80 in via xn0 setup
> keep-state
> 02700  2748  2125603 allow tcp from any to me dst-port 443 in via xn0
> setup keep-state
> 02800     0        0 allow tcp from any to me dst-port 143 in via xn0
> setup keep-state
> 02900     0        0 allow tcp from any to me dst-port 110 in via xn0
> setup keep-state
> 03000  1094   360419 allow tcp from any to me dst-port 993 in via xn0
> setup keep-state
> 03100     0        0 allow tcp from any to me dst-port 21 in via xn0 setup
> keep-state
> 03200     0        0 allow tcp from any to me dst-port 30000-50000 in via
> xn0 setup keep-state
> 03300  3558  1151840 allow tcp from me to any out setup keep-state
> 03400  6693   880724 allow ip from me to any out keep-state
> 65534   170    20283 deny log logamount 100 ip from any to any
> 65535    36     5424 allow ip from any to any
>
> When I remove the upload rule, navigation back to work:
>
> # ipfw delete 1700
>
> links http://www.any_website.com work again.
>
> # uname -a
> FreeBSD mail.xxxxx.xxx.xx 10.0-STABLE FreeBSD 10.0-STABLE #2 r261419: Thu
> Feb  6 16:51:10 BRST 2014 root@mail.xxxxx.xxx.xx:/usr/obj/usr/src/sys/GONDIM
>  amd64
>
> It seems that something has changed and that stopped the bandwidth control.
>
> []'s
> Gondim
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>



-- 
-----------------------------------------+-------------------------------
 Prof. Luigi RIZZO, rizzo@iet.unipi.it  . Dip. di Ing. dell'Informazione
 http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
 TEL      +39-050-2211611               . via Diotisalvi 2
 Mobile   +39-338-6809875               . 56122 PISA (Italy)
-----------------------------------------+-------------------------------