Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Jun 2008 14:37:24 -0700
From:      Chuck Swiger <cswiger@mac.com>
To:        Freddie Cash <fjwcash@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Understanding where dummynet fits into an ipfw ruleset
Message-ID:  <58383628-3A79-4271-B62D-C35CC06618F0@mac.com>
In-Reply-To: <b269bc570806271301x3ed43e54k5de0a1d71a9eb676@mail.gmail.com>
References:  <b269bc570806271301x3ed43e54k5de0a1d71a9eb676@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Jun 27, 2008, at 1:01 PM, Freddie Cash wrote:
> Mainly, I'm wondering where to put the "ipfw queue" rules (the ones
> that send the packets to dummynet), in relation to the packet
> filtering rules, or if it even matters.
>
> For instance, do the queue rules apply to all the rules in the set, or
> only to rules that follow after the queue rules (numerically)?

That pretty depends on whether net.inet.ip.fw.one_pass sysctl is set:

      pipe pipe_nr
              Pass packet to a dummynet(4) ``pipe'' (for bandwidth  
limitation,
              delay, etc.).  See the TRAFFIC SHAPER (DUMMYNET)  
CONFIGURATION
              Section for further information.  The search terminates;  
however,
              on exit from the pipe and if the sysctl(8) variable
              net.inet.ip.fw.one_pass is not set, the packet is passed  
again to
              the firewall code starting from the next rule.

> Would I put the queue rules at the start of the ruleset or the end?
> Or in the middle, just above the rules for the workstations?  Do I add
> them after all the bad packet checks and general deny rules that are
> at the top of the ruleset?
>
> Just wondering how the queue rules interact with the general packet
> filter rules, since they can have the same parameters.

It's reasonable to place the dummynet queue and pipe statements  
immediately after anti-spoofing checks, if net.inet.ip.fw.one_pass is  
false; that way, all traffic is shaped, including stuff that is later  
blocked by other IPFW statements.  Since the inbound traffic has  
already passed through your external link(s) anyway, you might as well  
acknowledge that it has.

If net.inet.ip.fw.one_pass is true, then you definitely want to apply  
your deny rules first, as once something matches a pipe rule, it's  
going to be passed.  The tradeoff is that the accounting/fairness of  
traffic is less accurate but the firewall ruleset runs faster...

-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58383628-3A79-4271-B62D-C35CC06618F0>