Date: Fri, 13 Aug 2004 12:06:18 +0200 From: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> To: Chris Knipe <savage@savage.za.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & skipto.... confused a bit... Message-ID: <20040813100618.GE96469@shellma.zin.lublin.pl> In-Reply-To: <000e01c48109$063bfd20$fb00a8c0@savage.za.org> References: <E1BvWef-0002eB-00@hetzner.co.za> <000e01c48109$063bfd20$fb00a8c0@savage.za.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Almost ~64k rules ruleset is weird.
Consider using IPFW2 Lookup Tables for aggregating different types
of clients and skiptos for separating traffic on per-direction and
per-interface basis. This can greatly increase readability and
reduce ruleset size.
RECV_NIC1=1000
OMIT=1500
XMIT_NIC1=2000
RECV_NIC2=3000
XMIT_NIC2=4000
...
REST=10000
ipfw table 1 add client1/32
ipfw table 1 add client2/24
...
ipfw table X add clientN/M
ipfw add skipto ${RECV_NIC1} ip from any to any in recv ${NIC1}
ipfw add skipto ${XMIT_NIC1} ip from any to any out xmit ${NIC1}
ipfw add skipto ${RECV_NIC2} ip from any to any in recv ${NIC2}
ipfw add skipto ${XMIT_NIC2} ip from any to any out xmit ${NIC2}
...
ipfw add skipto ${REST} ip from any to any // All other traffic pass somewhere
ipfw add ${RECV_NIC1} count ip from any to any // jump here for RECV_NIC1
ipfw add pipe XXX ip from any to table(X)
ipfw add skipto $OMIT ip from any to table(X)
ipfw add pipe YYY ip from any to table(Y)
ipfw add skipto $OMIT ip from any to table(Y)
...
ipfw add ${OMIT} count ip from any to any // Jump here after applying pipes
...
ipfw add skipto ${END} ip from any to any // We are done for this interface and direction
.
.
.
ipfw add ${REST} count ip from any to any // All other traffic pass here
...
ipfw add skipto ${END} ip from any to any // We are done for this interface and direction
Very often we apply the same rules on each interface, so we can put these
rules in sh(1) function and call a function in shell script that creates
ruleset for us, for example:
lower_p2p () {
# Lower weight of P2P
# ${1} = ${PIPE_xxx_xxx_P2P}
${FW} add set ${SET_SHAPE_P2P} queue ${1}10 \
tcp from any ${TCPP2PPORT} to any // Lower weight of incoming P2P traffic
${FW} add set ${SET_SHAPE_P2P} skipto ${HOP} \
tcp from any ${TCPP2PPORT} to any // Jump over not-P2P rule
${FW} add set ${SET_SHAPE_P2P} queue ${1}10 \
tcp from any to any ${TCPP2PPORT} // Lower weight of incoming P2P traffic
${FW} add set ${SET_SHAPE_P2P} skipto ${HOP} \
tcp from any to any ${TCPP2PPORT} // Jump over not-P2P rule
${FW} add set ${SET_SHAPE_P2P} queue ${1}90 \
ip from any to any // Prefer NOT P2P traffic
}
And call lower_p2p() function like this:
######################################################################
# ISP1 in/down
#
HOP=${ISP1d}
hop Jump here for ISP1 incoming traffic
# firewall rules here
typical_firewall
# Hook for SETs allowing skipping of shaper (local and global).
skipshaperhook ${SET_SKIPSHAPE_ISP1}
perclient_shaper_in ${SET_SHAPE_ISP1_PERCLIENTLIMIT} ${PIPE_ISP1_DOWN_PERCLIENT}
hop Jump here after perclient_in queueing and before P2P-limits
lower_p2p ${PIPE_ISP1_DOWN_P2P} <--------------
hop Jump here after P2P-limits before prefere-servers
prefer_servers_in
longjump
#
# This is end of ruleset for ISP1 incoming. In this file it looks short but
# we have here:
# . Typical firewall (filter MS Windows ports)
# . Rules (skipto with set) allowing disabling traffic shaping with `ipfw set ${SKIPSHAPINGFORISP1} enable'
# . Shaping on per-client basis (different cliens have their own lookup tables and different bw)
# . Limiting P2P (we can turn this on/off with `ipfw set ${SET_SHAPE_P2P} enable/disable'
# . Rules that increase weight of our hosting servers and reduce workstations
# . Jump to the end.
#
######################################################################
regards,
--
Paweł Małachowski
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040813100618.GE96469>