From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 18 11:05:56 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EB3E16A4CE for ; Fri, 18 Feb 2005 11:05:56 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7540843D31 for ; Fri, 18 Feb 2005 11:05:55 +0000 (GMT) (envelope-from mikhail.manuilov@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so492499rnf for ; Fri, 18 Feb 2005 03:05:55 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=kumTai63aRaxCJI/frEY7QAY8ImK9G3PziStoPy8PLUgTkT3uagsS749pkb9XfU/Q74KY8zpvpehOmOY9DFYoXm0aT7+W9hhdNHWGLCCI1xDLhASROYMHwKoQ7ZAwEW0hnnUxhSklkOsRi/LaprfQ3mFsTZjTd4pySCb6xaGWVo= Received: by 10.38.89.15 with SMTP id m15mr138875rnb; Fri, 18 Feb 2005 03:05:54 -0800 (PST) Received: by 10.38.88.56 with HTTP; Fri, 18 Feb 2005 03:05:54 -0800 (PST) Message-ID: <7ec6def9050218030531207c93@mail.gmail.com> Date: Fri, 18 Feb 2005 14:05:54 +0300 From: Mikhail Manuilov To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: queue with "keep-state" statement X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mikhail Manuilov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 11:05:56 -0000 Hello, I'm one of those, who want to make a powerful traffic shaper (not CBQ but ofcourse better that nothing) with ipfw2 on their freebsd 4.x-stable. My server is using frequently used configuration with NAT+FW, it's an ADSL router with one external ip on external network interface (we're using ADSL modem in bringe mode). I've configured single pipe, configured queues to use that pipe, add queues with different weights distinct on destination ports. //i'm doing nat with that rules: 03400 divert 8668 ip from { 192.168.132.0/24,192.168.10.0/24,172.16.1.0/24,10.10.10.0/24 or me } to any out via bfe0 03600 divert 8668 ip from any to me in via bfe0 //here are defined queues 09600 queue 1 udp from me to any dst-port 53,123 out via bfe0 keep-state 09800 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay iplen 32-68 established 10000 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay established 10200 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay setup keep-state 10400 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 iplen 32-68 established 10600 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 established 10800 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 setup keep-state 11000 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 iplen 32-68 established 11200 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 established 11400 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 setup keep-state 11600 queue 5 tcp from any 1024-65535 to any out via bfe0 iplen 32-68 established 11800 queue 5 tcp from any 1024-65535 to any out via bfe0 established 12000 queue 5 tcp from any 1024-65535 to any out via bfe0 setup keep-state 12200 queue 6 udp from any 1024-65535 to any out via bfe0 keep-state 12400 allow tcp from any to 192.168.132.0/24,192.168.10.0/24,172.16.1.0/24,10.10.10.0/24 in via bfe0 established //last rule is for weird packets that natd is pushing to the stack When client is downloading file via passive ftp from nat'ed internal network he has ${ADSL_INBOUND_SPEED} speed (55KByte/s) Here is the problem: When i ssh'ing to server and starting the SAME connection with wget i'm having only 14KByte/s. Hitting many times "ipfw show" i've discovered that in the first case counters of 12000 rule are incrementing slowly and counters of rule 12400 are incrementing very fast. In the second case only counters of rule number 12000 are incrementing relative to the first case fast. So here is the question: Should I remove "keep-state" statement and use stateless firewall with adding "established" rules or this is bug/feature (that tracking state of data flow in queue in both directions is bad, because in that case we limiting speed of inbound connection and outbound too (last is desired)). Thanks beforehand. PS: I can post here my rc.firewall on demand or exec what you want me to exec.