View Single Post
  #4   (View Single Post)  
Old 8th August 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Default

EUREKA!!!!!
After days and hours sitting in front of this term window, IT HAS HAPPENED! I here post the entire firewall config, as my final firewall writing opus (if there's a God I'll never have to write another one )
Code:
$ cat /etc/firewall
#!/bin/sh -

#
# Setup system for ipfw(4) firewall service.
#

# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
        if [ -r /etc/defaults/rc.conf ]; then
                . /etc/defaults/rc.conf
                source_rc_confs
        elif [ -r /etc/rc.conf ]; then
                . /etc/rc.conf
        fi
fi

############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - allows anyone in; safety net
#   limiter     - allows our clients and limits their bandwidth. should block all others

############

setup_loopback () {
        ############
        # Only in rare cases do you want to change these rules
        #
        ${fwcmd} add 100 pass all from any to any via lo0
        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac

############
# Flush out the list before we begin.
#
${fwcmd} -f flush

setup_loopback

############
# Network Address Translation.  All packets are passed to natd(8)
# before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# For ``simple'' firewall type the divert rule should be put to a
# different place to not interfere with address-checking rules.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
                fi
                ;;
        esac
        case ${firewall_nat_enable} in
        [Yy][Ee][Ss])
                if [ -n "${firewall_nat_interface}" ]; then
                        ${fwcmd} nat 123 config if ${firewall_nat_interface} log
                        ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
                fi
                ;;
        esac
esac

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.
#
# ${fwcmd} add 65000 pass all from any to any


# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
        ${fwcmd} add 65000 pass all from any to any
        ;;

esac



# # # # # # # # # # # # # #
# Bandwidth capping rules #
# # # # # # # # # # # # # #


case ${firewall_type} in
[Ll][Ii][Mm][Ii][Tt][Ee][Rr])

# Deny everyone who isn't on the list below
${fwcmd} add 65300 deny all from any to any

# Let everything keep moving past these interfaces
${fwcmd} add 350 allow all from any to any out via nfe0
${fwcmd} add 351 allow all from any to any out via rl0

# Allow clients to speak to the server and vice versa
${fwcmd} add 360 allow all from any to 192.168.2.1 via rl0
${fwcmd} add 361 allow all from 192.168.2.1 to any via rl0


# Centrul - principal
${fwcmd} pipe 4001 config bw 100Mbit/s
${fwcmd} pipe 4002 config bw 100Mbit/s
${fwcmd} add 401 pipe 4001 all from any to 192.168.2.2 in via nfe0
${fwcmd} add 402 pipe 4002 all from 192.168.2.2 to any in via rl0

# Centrul - c1
${fwcmd} pipe 1 config bw 256Kbit/s
${fwcmd} pipe 2 config bw 85Kbit/s
${fwcmd} add 501 pipe 1 all from any to 192.168.2.3 in via nfe0
${fwcmd} add 502 pipe 2 all from 192.168.2.3 to any in via rl0

# Centrul - c2
${fwcmd} pipe 3 config bw 256Kbit/s
${fwcmd} pipe 4 config bw 85Kbit/s
${fwcmd} add 503 pipe 3 all from any to 192.168.2.4 in via nfe0
${fwcmd} add 504 pipe 4 all from 192.168.2.4 to any in via rl0

# Centrul - c3
${fwcmd} pipe 5 config bw 256Kbit/s
${fwcmd} pipe 6 config bw 85Kbit/s
${fwcmd} add 505 pipe 5 all from any to 192.168.2.5 in via nfe0
${fwcmd} add 506 pipe 6 all from 192.168.2.5 to any in via rl0

# Centrul - c4
${fwcmd} pipe 7 config bw 256Kbit/s
${fwcmd} pipe 8 config bw 85Kbit/s
${fwcmd} add 507 pipe 7 all from any to 192.168.2.6 in via nfe0
${fwcmd} add 508 pipe 8 all from 192.168.2.6 to any in via rl0

# Centrul - c5
${fwcmd} pipe 9 config bw 256Kbit/s
${fwcmd} pipe 10 config bw 85Kbit/s
${fwcmd} add 509 pipe 9 all from any to 192.168.2.7 in via nfe0
${fwcmd} add 510 pipe 10 all from 192.168.2.7 to any in via rl0

# Centrul - c6
${fwcmd} pipe 11 config bw 256Kbit/s
${fwcmd} pipe 12 config bw 85Kbit/s
${fwcmd} add 511 pipe 11 all from any to 192.168.2.8 in via nfe0
${fwcmd} add 512 pipe 12 all from 192.168.2.8 to any in via rl0

# Centrul - c7
${fwcmd} pipe 13 config bw 256Kbit/s
${fwcmd} pipe 14 config bw 85Kbit/s
${fwcmd} add 513 pipe 13 all from any to 192.168.2.9 in via nfe0
${fwcmd} add 514 pipe 14 all from 192.168.2.9 to any in via rl0

# Centrul - c8
${fwcmd} pipe 15 config bw 256Kbit/s
${fwcmd} pipe 16 config bw 85Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10 in via nfe0
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any in via rl0

# Centrul - c9
${fwcmd} pipe 17 config bw 256Kbit/s
${fwcmd} pipe 18 config bw 85Kbit/s
${fwcmd} add 517 pipe 17 all from any to 192.168.2.11 in via nfe0
${fwcmd} add 518 pipe 18 all from 192.168.2.11 to any in via rl0

# Petrea
${fwcmd} pipe 19 config bw 256Kbit/s
${fwcmd} pipe 20 config bw 85Kbit/s
${fwcmd} add 519 pipe 19 all from any to 192.168.2.12 in via nfe0
${fwcmd} add 520 pipe 20 all from 192.168.2.12 to any in via rl0

# Anisoara Ulmanu
${fwcmd} pipe 21 config bw 256Kbit/s
${fwcmd} pipe 22 config bw 85Kbit/s
${fwcmd} add 521 pipe 21 all from any to 192.168.2.13 in via nfe0
${fwcmd} add 522 pipe 22 all from 192.168.2.13 to any in via rl0

# Grisa
${fwcmd} pipe 23 config bw 256Kbit/s
${fwcmd} pipe 24 config bw 85Kbit/s
${fwcmd} add 523 pipe 23 all from any to 192.168.2.14 in via nfe0
${fwcmd} add 524 pipe 24 all from 192.168.2.14 to any in via rl0

# Nicu Bivol
${fwcmd} pipe 25 config bw 256Kbit/s
${fwcmd} pipe 26 config bw 85Kbit/s
${fwcmd} add 525 pipe 25 all from any to 192.168.2.15 in via nfe0
${fwcmd} add 526 pipe 26 all from 192.168.2.15 to any in via rl0









;;
esac
Now here's what it does:
Limits network clients' internet bandwidth to 256/85 Kbit/s.
Does NOT limit clients' bandwidth to the gateway itself.

2 little sentences describes so much ipfw!
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote