DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 1st August 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Default ipfw rules not behaving

I am trying to limit clients on the network to 256Kbit/s down and 85Kbit/s up for internet use. We use FreeBSD 7.0-p3 as our gateway.

The bandwidth limiting is working, but it's working too well. It's not only limiting clients' access to the internet, but also to the server itself! For example, a client copying a file to/from the samba share on the FreeBSD gateway, he's still limited to 256Kbit/s / 85Kbit/s! We don't want this, we only want to limit their access on the other side of the FreeBSD gateway!

Here's the firewall rules:
Code:
$ cat /etc/firewall
#!/bin/sh -

#
# Setup system for ipfw(4) firewall service.
#

# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
        if [ -r /etc/defaults/rc.conf ]; then
                . /etc/defaults/rc.conf
                source_rc_confs
        elif [ -r /etc/rc.conf ]; then
                . /etc/rc.conf
        fi
fi

############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - allows anyone in; safety net
#   limiter     - allows our clients and limits their bandwidth. should block all others

############

setup_loopback () {
        ############
        # Only in rare cases do you want to change these rules
        #
        ${fwcmd} add 100 pass all from any to any via lo0
        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac

############
# Flush out the list before we begin.
#
${fwcmd} -f flush

setup_loopback

############
# Network Address Translation.  All packets are passed to natd(8)
# before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# For ``simple'' firewall type the divert rule should be put to a
# different place to not interfere with address-checking rules.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
                fi
                ;;
        esac
        case ${firewall_nat_enable} in
        [Yy][Ee][Ss])
                if [ -n "${firewall_nat_interface}" ]; then
                        ${fwcmd} nat 123 config if ${firewall_nat_interface} log
                        ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
                fi
                ;;
        esac
esac

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.
#
# ${fwcmd} add 65000 pass all from any to any


# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
        ${fwcmd} add 65000 pass all from any to any
        ;;

esac

############
# Bandwidth capping rules

case ${firewall_type} in
[Ll][Ii][Mm][Ii][Tt][Ee][Rr])

# Deny everyone who isn't on the list below
${fwcmd} add 65300 deny all from any to any

# Allow everything via the LAN interface
${fwcmd} add 400 allow all from any to any via nfe0


# Centrul - principal
${fwcmd} pipe 4001 config bw 3000Kbit/s
${fwcmd} pipe 4002 config bw 1000Kbit/s
${fwcmd} add 401 pipe 4001 all from any to 192.168.2.2
${fwcmd} add 402 pipe 4002 all from 192.168.2.2 to any

# Centrul - c1
${fwcmd} pipe 1 config bw 256Kbit/s
${fwcmd} pipe 2 config bw 85Kbit/s
${fwcmd} add 501 pipe 1 all from any to 192.168.2.3
${fwcmd} add 502 pipe 2 all from 192.168.2.3 to any

# Centrul - c2
${fwcmd} pipe 3 config bw 256Kbit/s
${fwcmd} pipe 4 config bw 85Kbit/s
${fwcmd} add 503 pipe 3 all from any to 192.168.2.4
${fwcmd} add 504 pipe 4 all from 192.168.2.4 to any

# Centrul - c3
${fwcmd} pipe 5 config bw 256Kbit/s
${fwcmd} pipe 6 config bw 85Kbit/s
${fwcmd} add 505 pipe 5 all from any to 192.168.2.5
${fwcmd} add 506 pipe 6 all from 192.168.2.5 to any

# Centrul - c4
${fwcmd} pipe 7 config bw 256Kbit/s
${fwcmd} pipe 8 config bw 85Kbit/s
${fwcmd} add 507 pipe 7 all from any to 192.168.2.6
${fwcmd} add 508 pipe 8 all from 192.168.2.6 to any

# Centrul - c5
${fwcmd} pipe 9 config bw 256Kbit/s
${fwcmd} pipe 10 config bw 85Kbit/s
${fwcmd} add 509 pipe 9 all from any to 192.168.2.7
${fwcmd} add 510 pipe 10 all from 192.168.2.7 to any

# Centrul - c6
${fwcmd} pipe 11 config bw 256Kbit/s
${fwcmd} pipe 12 config bw 85Kbit/s
${fwcmd} add 511 pipe 11 all from any to 192.168.2.8
${fwcmd} add 512 pipe 12 all from 192.168.2.8 to any

# Centrul - c7
${fwcmd} pipe 13 config bw 256Kbit/s
${fwcmd} pipe 14 config bw 85Kbit/s
${fwcmd} add 513 pipe 13 all from any to 192.168.2.9
${fwcmd} add 514 pipe 14 all from 192.168.2.9 to any

# Centrul - c8
${fwcmd} pipe 15 config bw 3000Kbit/s
${fwcmd} pipe 16 config bw 1000Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any

# Centrul - c9
${fwcmd} pipe 17 config bw 256Kbit/s
${fwcmd} pipe 18 config bw 85Kbit/s
${fwcmd} add 517 pipe 17 all from any to 192.168.2.11
${fwcmd} add 518 pipe 18 all from 192.168.2.11 to any
And here's ifconfig:
Code:
$ ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:e0:4c:4d:0d:68
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:1d:92:0b:ae:ef
        inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
192.168.1.0/24 is the 'internet' (it's where our router is anyway which goes to the internet) and 192.168.2.0/24 is the internal network.

Any ideas as to why it is behaving this way?
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to configure ipfw with 4 modems??? m4st3rcr4zy FreeBSD General 0 13th February 2009 06:26 AM
looking for good ipfw resources dk_netsvil General software and network 0 15th August 2008 04:05 PM
A P2P controlling tool at last - ipfw-classifyd s0xxx FreeBSD Ports and Packages 0 3rd August 2008 09:49 AM
ipfw question Johnny2Bad FreeBSD General 2 21st May 2008 12:16 AM
ipfw destination nat problem mitak FreeBSD General 2 15th May 2008 02:36 PM


All times are GMT. The time now is 10:09 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick