Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Aug 2004 12:06:18 +0200
From:      Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
To:        Chris Knipe <savage@savage.za.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw & skipto.... confused a bit...
Message-ID:  <20040813100618.GE96469@shellma.zin.lublin.pl>
In-Reply-To: <000e01c48109$063bfd20$fb00a8c0@savage.za.org>
References:  <E1BvWef-0002eB-00@hetzner.co.za> <000e01c48109$063bfd20$fb00a8c0@savage.za.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Almost ~64k rules ruleset is weird.

Consider using IPFW2 Lookup Tables for aggregating different types
of clients and skiptos for separating traffic on per-direction and
per-interface basis. This can greatly increase readability and
reduce ruleset size.

RECV_NIC1=1000
OMIT=1500
XMIT_NIC1=2000
RECV_NIC2=3000
XMIT_NIC2=4000
...
REST=10000

ipfw table 1 add client1/32
ipfw table 1 add client2/24
...
ipfw table X add clientN/M

ipfw add skipto ${RECV_NIC1} ip from any to any in  recv ${NIC1}
ipfw add skipto ${XMIT_NIC1} ip from any to any out xmit ${NIC1}
ipfw add skipto ${RECV_NIC2} ip from any to any in  recv ${NIC2}
ipfw add skipto ${XMIT_NIC2} ip from any to any out xmit ${NIC2}
...
ipfw add skipto ${REST} ip from any to any // All other traffic pass somewhere

ipfw add ${RECV_NIC1} count ip from any to any // jump here for RECV_NIC1
  ipfw add pipe XXX ip from any to table(X)
  ipfw add skipto $OMIT ip from any to table(X)
  ipfw add pipe YYY ip from any to table(Y)
  ipfw add skipto $OMIT ip from any to table(Y)
  ...
  ipfw add ${OMIT} count ip from any to any // Jump here after applying pipes
  ...
ipfw add skipto ${END} ip from any to any // We are done for this interface and direction

.
.
.

ipfw add ${REST} count ip from any to any // All other traffic pass here
  ...
ipfw add skipto ${END} ip from any to any // We are done for this interface and direction



Very often we apply the same rules on each interface, so we can put these
rules in sh(1) function and call a function in shell script that creates
ruleset for us, for example:


lower_p2p () {
  # Lower weight of P2P
  # ${1} = ${PIPE_xxx_xxx_P2P}
  ${FW} add set ${SET_SHAPE_P2P} queue ${1}10 \
   tcp from any ${TCPP2PPORT} to any // Lower weight of incoming P2P traffic
  ${FW} add set ${SET_SHAPE_P2P} skipto ${HOP} \
   tcp from any ${TCPP2PPORT} to any // Jump over not-P2P rule

  ${FW} add set ${SET_SHAPE_P2P} queue ${1}10 \
   tcp from any to any ${TCPP2PPORT} // Lower weight of incoming P2P traffic
  ${FW} add set ${SET_SHAPE_P2P} skipto ${HOP} \
   tcp from any to any ${TCPP2PPORT} // Jump over not-P2P rule

  ${FW} add set ${SET_SHAPE_P2P} queue ${1}90 \
   ip from any to any // Prefer NOT P2P traffic
}




And call lower_p2p() function like this:

######################################################################
# ISP1 in/down
#
HOP=${ISP1d}
hop Jump here for ISP1 incoming traffic

# firewall rules here
typical_firewall

# Hook for SETs allowing skipping of shaper (local and global).
skipshaperhook ${SET_SKIPSHAPE_ISP1}

perclient_shaper_in ${SET_SHAPE_ISP1_PERCLIENTLIMIT} ${PIPE_ISP1_DOWN_PERCLIENT}

hop Jump here after perclient_in queueing and before P2P-limits
lower_p2p ${PIPE_ISP1_DOWN_P2P}					<--------------
hop Jump here after P2P-limits before prefere-servers

prefer_servers_in
longjump
#
# This is end of ruleset for ISP1 incoming. In this file it looks short but
# we have here:
#	. Typical firewall (filter MS Windows ports)
#	. Rules (skipto with set) allowing disabling traffic shaping with `ipfw set ${SKIPSHAPINGFORISP1} enable'
#	. Shaping on per-client basis (different cliens have their own lookup tables and different bw)
#	. Limiting P2P (we can turn this on/off with `ipfw set ${SET_SHAPE_P2P} enable/disable'
#	. Rules that increase weight of our hosting servers and reduce workstations
#	. Jump to the end.
#
######################################################################


regards,
-- 
Paweł Małachowski



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040813100618.GE96469>