Date: Wed, 17 Apr 2002 16:32:20 -0700 From: Luigi Rizzo <rizzo@icir.org> To: John David Duncan <jdd@greatschools.net> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: traffic shaper not quite right Message-ID: <20020417163220.A51958@iguana.icir.org> In-Reply-To: <BA4DB830-50A6-11D6-AEAA-00039352626A@greatschools.net> References: <BA4DB830-50A6-11D6-AEAA-00039352626A@greatschools.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
first, you cannot do much to limit incoming traffic that uses
a non-adaptive protocol: pipes on the input side work for TCP
(because you effectively delay acks in the other direction,
thus controlling the source), but if you have uncontrolled UDP streams
you have no way to block them.
Second, my impression is that there is a lot of traffic not matching
any of your limiting rules and leaking to the default rule.
You would have probably an easier-to-read ruleset if you
avoided the net.inet.ip.fw.one_pass: 0 and tried to do
nat before the shaping. Easier to read also means it
becomes easier to see if there is traffic leaking to the default
rule without going through any pipe.
cheers
luigi
On Mon, Apr 15, 2002 at 12:26:47PM -0700, John David Duncan wrote:
> Hello,
>
> I have an office with a 500Kbit/s partial T1 connection and two internal
> subnets (one of which is NAT firewalled). On the non-routing subnet I
> have a user who listens to streaming audio from shoutcast.net. I try to
> limit this whole segment with a 320Kbit/s queue on incoming traffic
> (rule 490), but the queue doesn't seem to do the right thing: the T1 is
> still saturated; the MRTG-type graphs continue to show flatline 500Kbps
> utilization; the bucket for the shoutcast user (bucket 49) does not show
> any dropped any packets.
>
> Is something wrong with the configuration? Can anyone help? It is a
> complex
> set of rules because there are three interfaces on the router.
>
> - JD
>
> fxp0 is at inet 199.4.104.158 [routable subnet]
> dc0 is at inet 64.165.109.140 [T1]
> dc1 is at inet 192.168.1.1 [NAT subnet]
>
> kern.clockrate: { hz = 100, tick = 10000, tickadj = 5, profhz = 1024,
> stathz = 128 }
> net.inet.ip.fw.one_pass: 0
>
>
> #ipfw show
> # Rules 100,200,900,1000 are Anti-IP-spoofing:
>
> 00100 0 0 deny ip from 199.4.104.128/27 to any in recv
> dc0
> 00200 3 120 deny ip from 192.168.0.0/16 to any in recv dc0
> 00300 4636 129808 allow igmp from any to 224.0.0.0/24
> 00400 0 0 allow udp from any to 224.0.0.0/24
>
> # 400 Kbps pipe: routing subnet <--> internet
> 00450 1407393 235757596 pipe 3 ip from 199.4.104.128/27 to not
> 192.168.0.0/16 in recv fxp0
> 00470 4315861 2430690170 pipe 4 ip from not 192.168.0.0/16 to
> 199.4.104.128/27 out xmit fxp0
>
> # 320 Kbps queue: internet --> NAT subnet
> 00490 522572 566492862 queue 1 ip from not 199.4.104.128/27 to any
> out xmit dc1
>
> 00500 559 28248 unreach port tcp [...] setup
> 00600 0 0 unreach port udp [...]
>
> # natd -u -m -s -a 199.4.104.129
> 00700 3511249 2088173616 divert 8668 ip from any to any via dc0
> 00800 58 19269 allow udp from [...]
> 00900 0 0 deny log logamount 100 ip from not
> 199.4.104.128/27 to any in recv fxp0
> 01000 0 0 deny log logamount 100 ip from not
> 192.168.0.0/16 to any in recv dc1
> 65535 25608836 20535828203 allow ip from any to any
>
>
> bash-2.05# ipfw pipe show
> 00003: 400.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
> 0 tcp 199.4.104.139/49749 199.4.104.158/22 2357011 376527402
> 0 0 918
> 00004: 400.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
> 0 tcp 192.168.1.107/4081 199.4.104.154/25 6480903 2769629456
> 0 0 10
> 00010: 320.000 Kbit/s 0 ms 10 KB 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> q00001: weight 5 pipe 10 50 sl. 15 queues (64 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x0000ffff/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
> 2 ip 0.0.0.0/0 0.0.1.2/0 53 7088 0
> 0 0
> 38 ip 0.0.0.0/0 0.0.1.102/0 12676 9377918
> 0 0 0
> 40 ip 0.0.0.0/0 0.0.1.104/0 2129 1354742 0
> 0 0
> 41 ip 0.0.0.0/0 0.0.1.105/0 23 3995 0
> 0 0
> 43 ip 0.0.0.0/0 0.0.1.107/0 13243 11747508
> 0 0 0
> 46 ip 0.0.0.0/0 0.0.1.110/0 10123 8827868
> 0 0 0
> 49 ip 0.0.0.0/0 0.0.1.113/0 402263 473946687 4
> 4541 0
> 50 ip 0.0.0.0/0 0.0.1.114/0 16602 10231616
> 0 0 64
> 52 ip 0.0.0.0/0 0.0.1.116/0 3497 3299405 0
> 0 0
> 54 ip 0.0.0.0/0 0.0.1.118/0 4283 3470449 0
> 0 0
> 56 ip 0.0.0.0/0 0.0.1.120/0 4064 3523496 0
> 0 0
> 57 ip 0.0.0.0/0 0.0.1.121/0 14342 16914636
> 0 0 0
> 58 ip 0.0.0.0/0 0.0.1.122/0 24860 18228508
> 0 0 0
> 59 ip 0.0.0.0/0 0.0.1.123/0 17697 15428527
> 0 0 0
> 63 ip 0.0.0.0/0 0.0.1.255/0 4824 366624 0
> 0 0
>
>
>
>
>
> -------------------------------------------
> John David Duncan
> Systems Administrator
> GreatSchools, Inc. (415) 977-0700 x115
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020417163220.A51958>