From owner-freebsd-net@FreeBSD.ORG Fri Jun 27 22:01:29 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 541221065679 for ; Fri, 27 Jun 2008 22:01:29 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29]) by mx1.freebsd.org (Postfix) with ESMTP id 1FDCC8FC14 for ; Fri, 27 Jun 2008 22:01:29 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so261391ywe.13 for ; Fri, 27 Jun 2008 15:01:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=fg8UwLf4LgvijV4nAaLZSezv+S4ngwOuY1cgeUnN/Fo=; b=W93iXle7OwYCyh8P2bW9OfKtT0boq5YFAudbp/qHwX83KO14/kiJkauPM/3CAp2hDD VGUF04ida+vzAc9Lx2iTV7gTyw+9rJK/6TESzPM0+SGH+sygTW72x4NvavFtdbs/fXuN WdtfNydcNglZ+gZW08pq5ow2SaAbxX+xzqmnQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=oa75m3srMyaTtPuDFEA4mz5zVnJDwmZEXMGlh3Pb2I+tOMBlbTRN1UYLVLqyqn9Sr5 UJoqFjYQoAS06RYSCZWVx+a15byaLHOo6HT6CCm/djER8DKR8fh+ZFPlFc3oSzghGnOL vGzVeMGzAWCPn4VfHnUkP8NulGyuVk8aBT3jg= Received: by 10.150.205.13 with SMTP id c13mr2945970ybg.239.1214604078590; Fri, 27 Jun 2008 15:01:18 -0700 (PDT) Received: by 10.151.154.17 with HTTP; Fri, 27 Jun 2008 15:01:18 -0700 (PDT) Message-ID: Date: Fri, 27 Jun 2008 15:01:18 -0700 From: "Freddie Cash" To: freebsd-net@freebsd.org In-Reply-To: <58383628-3A79-4271-B62D-C35CC06618F0@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <58383628-3A79-4271-B62D-C35CC06618F0@mac.com> Subject: Re: Understanding where dummynet fits into an ipfw ruleset X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jun 2008 22:01:29 -0000 On Fri, Jun 27, 2008 at 2:37 PM, Chuck Swiger wrote: > On Jun 27, 2008, at 1:01 PM, Freddie Cash wrote: >> Mainly, I'm wondering where to put the "ipfw queue" rules (the ones >> that send the packets to dummynet), in relation to the packet >> filtering rules, or if it even matters. >> >> For instance, do the queue rules apply to all the rules in the set, or >> only to rules that follow after the queue rules (numerically)? > > That pretty depends on whether net.inet.ip.fw.one_pass sysctl is set: [snip man page snippet] >> Would I put the queue rules at the start of the ruleset or the end? >> Or in the middle, just above the rules for the workstations? Do I add >> them after all the bad packet checks and general deny rules that are >> at the top of the ruleset? >> >> Just wondering how the queue rules interact with the general packet >> filter rules, since they can have the same parameters. > > It's reasonable to place the dummynet queue and pipe statements immediately > after anti-spoofing checks, if net.inet.ip.fw.one_pass is false; that way, > all traffic is shaped, including stuff that is later blocked by other IPFW > statements. Since the inbound traffic has already passed through your > external link(s) anyway, you might as well acknowledge that it has. Makes sense. That's the bit that was messing me up (one_pass). I'm still working my head around how it (one_pass) integrates with all the rest (divert/natd, fwd, dummynet) in a single ruleset. Looking at sysctl output on a handful of systems, some of our firewalls has one_pass enabled, others don't. That's probably what's been tripping me up, as sometimes a ruleset worked, other times it didn't, depending on the FreeBSD release (4.x, 6.x, 7.x) the firewall started with. It's only recently that I've started standardising settings across firewalls with standard hardware configs, generic rc.conf/sysctl.conf, specific rc.conf.local, and so on. Which is why I'm asking. > If net.inet.ip.fw.one_pass is true, then you definitely want to apply your > deny rules first, as once something matches a pipe rule, it's going to be > passed. The tradeoff is that the accounting/fairness of traffic is less > accurate but the firewall ruleset runs faster... So, in this situation, the "allow" rules would be the queue rules? To add traffic shaping to the following, using one_pass=1: 100 allow ip from 1.1.1.1 to 2.2.2.2 in recv em0 200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1 300 deny ip from any to 2.2.2.2 in recv em0 Would be: 100 queue 1 ip from 1.1.1.1 to 2.2.2.2 in recv em0 200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1 300 deny ip from any to 2.2.2.2 in recv em0 Or am I way off here? :) -- Freddie Cash fjwcash@gmail.com