Date: Tue, 21 Dec 2004 08:25:43 -0800 From: Darcy Buskermolen <darcy@wavefire.com> To: freebsd-ipfw@freebsd.org, csmith@bonddesk.com Subject: Re: Per flow load balancing Message-ID: <200412210825.44270.darcy@wavefire.com> In-Reply-To: <1103567616.35576.143.camel@localhost> References: <1103315143.35576.127.camel@localhost> <200412171431.12983.darcy@wavefire.com> <1103567616.35576.143.camel@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On December 20, 2004 10:33 am, Corey Smith wrote: > On Fri, 2004-12-17 at 14:31 -0800, Darcy Buskermolen wrote: > > Yes you can do this through the use of keep-state/check-state > > I'm trying a rule base like: > > 00005 check-state > 00006 allow udp from any to any > 00007 allow icmp from any to any > 00010 reject tcp from any to any established > 00015 prob 0.5 fwd tun1peerip tcp from any to any \ > recv bge0 xmit tun0 setup keep-state > 00020 allow tcp from any to any setup keep-state > 65535 allow ip from any to any > > Unfortunately no connections ever match rule 15. Any way you can show > me an example of using keep-state/check-state for per flow load > balancing? Here is a cut down set I use in one of my setups that does perflow load ballancing add 1 skipto 50000 tcp from any 1023-65535 to me 22 via xl1 #interactive traffic like ssh or telnet is best suited to the DSL 1000 skipto 1012 tcp from 192.168.0.0/16 to 1.2.3.0/24 22,23 #skip vpn traffic 1010 divert 8668 tcp from 192.168.0.0/16 to not 192.168.0.0/16 22 #xl0 1011 divert 8668 tcp from 192.168.0.0/16 to not 192.168.0.0/16 23 #xl0 #5000 -> 5999 default divert rules 5000 divert 8668 ip from any to me in via xl0 5001 divert 8669 ip from any to me in via fxp0 add 5010 check-state #push 45% of the traffic down the DSL 5100 prob 0.4 skipto 5500 ip from 192.168.0.0/16 to not 192.168.0.0/16 out keep-state 5101 skipto 5550 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 20,2 1 out keep-state #the rest down cable 5110 skipto 5550 ip from 192.168.0.0/16 to not 192.168.0.0/16 out keep-state 5500 divert 8668 ip from 192.168.0.0/16 to not 192.168.0.0/16 550 divert 8669 ip from 192.168.0.0/16 to not 192.168.0.0/16 10000 skipto 50000 ip from 192.162.0.0/16 to me in via xl1 10020 skipto 50000 tcp from any to any established 11010 skipto 50000 icmp from me to any 60000 fwd dslgateway ip from mydslip to not 192.168.0.0/16 60001 fwd cablegateway ip from mycableip to not 192.168.0.0/16 65534 allow ip from any to any > > -Corey Smith > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412210825.44270.darcy>