|
||||
Add the interface names to your bandwidth rules. Packets should only be sent to the queues when leaving (out xmit) the external interface, and when entering (in recv) the external interface.
Right now, you are also double-shaping all your packets, as you haven't specified interfaces on any of your rules. |
|
||||
Could you please provide some examples? I'm stuck. I either completely block the machine, give it unlimited bandwidth, or get it stuck with both limited bandwidth to the gateway and the internet.
I want unlimited bandwidth to the gateway but limited to the internet. I think what I'm stuck on is the 'in/out' part. What does each refer to exactly? Does in mean into the network? Into the interface? From which direction? I've read the man page but it didn't help me understand. Here's an example of what I tried based on what you said: Quote:
Code:
# Centrul - c8 ${fwcmd} pipe 15 config bw 256Kbit/s ${fwcmd} pipe 16 config bw 85Kbit/s ${fwcmd} add 515 pipe 15 all from any to 192.168.2.10 via nfe0 out ${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any via rl0 in Last edited by Weaseal; 8th August 2008 at 12:56 PM. |
|
||||
EUREKA!!!!!
After days and hours sitting in front of this term window, IT HAS HAPPENED! I here post the entire firewall config, as my final firewall writing opus (if there's a God I'll never have to write another one ) Code:
$ cat /etc/firewall #!/bin/sh - # # Setup system for ipfw(4) firewall service. # # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi ############ # Define the firewall type in /etc/rc.conf. Valid values are: # open - allows anyone in; safety net # limiter - allows our clients and limits their bandwidth. should block all others ############ setup_loopback () { ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any } if [ -n "${1}" ]; then firewall_type="${1}" fi ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac ############ # Flush out the list before we begin. # ${fwcmd} -f flush setup_loopback ############ # Network Address Translation. All packets are passed to natd(8) # before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd # starting at the rule number following the divert rule. # # For ``simple'' firewall type the divert rule should be put to a # different place to not interfere with address-checking rules. # case ${firewall_type} in [Oo][Pp][Ee][Nn]|[Ll][Ii][Mm][Ii][Tt][Ee][Rr]) case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface} fi ;; esac case ${firewall_nat_enable} in [Yy][Ee][Ss]) if [ -n "${firewall_nat_interface}" ]; then ${fwcmd} nat 123 config if ${firewall_nat_interface} log ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} fi ;; esac esac ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # then you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # # ${fwcmd} add 65000 pass all from any to any # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) ${fwcmd} add 65000 pass all from any to any ;; esac # # # # # # # # # # # # # # # Bandwidth capping rules # # # # # # # # # # # # # # # case ${firewall_type} in [Ll][Ii][Mm][Ii][Tt][Ee][Rr]) # Deny everyone who isn't on the list below ${fwcmd} add 65300 deny all from any to any # Let everything keep moving past these interfaces ${fwcmd} add 350 allow all from any to any out via nfe0 ${fwcmd} add 351 allow all from any to any out via rl0 # Allow clients to speak to the server and vice versa ${fwcmd} add 360 allow all from any to 192.168.2.1 via rl0 ${fwcmd} add 361 allow all from 192.168.2.1 to any via rl0 # Centrul - principal ${fwcmd} pipe 4001 config bw 100Mbit/s ${fwcmd} pipe 4002 config bw 100Mbit/s ${fwcmd} add 401 pipe 4001 all from any to 192.168.2.2 in via nfe0 ${fwcmd} add 402 pipe 4002 all from 192.168.2.2 to any in via rl0 # Centrul - c1 ${fwcmd} pipe 1 config bw 256Kbit/s ${fwcmd} pipe 2 config bw 85Kbit/s ${fwcmd} add 501 pipe 1 all from any to 192.168.2.3 in via nfe0 ${fwcmd} add 502 pipe 2 all from 192.168.2.3 to any in via rl0 # Centrul - c2 ${fwcmd} pipe 3 config bw 256Kbit/s ${fwcmd} pipe 4 config bw 85Kbit/s ${fwcmd} add 503 pipe 3 all from any to 192.168.2.4 in via nfe0 ${fwcmd} add 504 pipe 4 all from 192.168.2.4 to any in via rl0 # Centrul - c3 ${fwcmd} pipe 5 config bw 256Kbit/s ${fwcmd} pipe 6 config bw 85Kbit/s ${fwcmd} add 505 pipe 5 all from any to 192.168.2.5 in via nfe0 ${fwcmd} add 506 pipe 6 all from 192.168.2.5 to any in via rl0 # Centrul - c4 ${fwcmd} pipe 7 config bw 256Kbit/s ${fwcmd} pipe 8 config bw 85Kbit/s ${fwcmd} add 507 pipe 7 all from any to 192.168.2.6 in via nfe0 ${fwcmd} add 508 pipe 8 all from 192.168.2.6 to any in via rl0 # Centrul - c5 ${fwcmd} pipe 9 config bw 256Kbit/s ${fwcmd} pipe 10 config bw 85Kbit/s ${fwcmd} add 509 pipe 9 all from any to 192.168.2.7 in via nfe0 ${fwcmd} add 510 pipe 10 all from 192.168.2.7 to any in via rl0 # Centrul - c6 ${fwcmd} pipe 11 config bw 256Kbit/s ${fwcmd} pipe 12 config bw 85Kbit/s ${fwcmd} add 511 pipe 11 all from any to 192.168.2.8 in via nfe0 ${fwcmd} add 512 pipe 12 all from 192.168.2.8 to any in via rl0 # Centrul - c7 ${fwcmd} pipe 13 config bw 256Kbit/s ${fwcmd} pipe 14 config bw 85Kbit/s ${fwcmd} add 513 pipe 13 all from any to 192.168.2.9 in via nfe0 ${fwcmd} add 514 pipe 14 all from 192.168.2.9 to any in via rl0 # Centrul - c8 ${fwcmd} pipe 15 config bw 256Kbit/s ${fwcmd} pipe 16 config bw 85Kbit/s ${fwcmd} add 515 pipe 15 all from any to 192.168.2.10 in via nfe0 ${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any in via rl0 # Centrul - c9 ${fwcmd} pipe 17 config bw 256Kbit/s ${fwcmd} pipe 18 config bw 85Kbit/s ${fwcmd} add 517 pipe 17 all from any to 192.168.2.11 in via nfe0 ${fwcmd} add 518 pipe 18 all from 192.168.2.11 to any in via rl0 # Petrea ${fwcmd} pipe 19 config bw 256Kbit/s ${fwcmd} pipe 20 config bw 85Kbit/s ${fwcmd} add 519 pipe 19 all from any to 192.168.2.12 in via nfe0 ${fwcmd} add 520 pipe 20 all from 192.168.2.12 to any in via rl0 # Anisoara Ulmanu ${fwcmd} pipe 21 config bw 256Kbit/s ${fwcmd} pipe 22 config bw 85Kbit/s ${fwcmd} add 521 pipe 21 all from any to 192.168.2.13 in via nfe0 ${fwcmd} add 522 pipe 22 all from 192.168.2.13 to any in via rl0 # Grisa ${fwcmd} pipe 23 config bw 256Kbit/s ${fwcmd} pipe 24 config bw 85Kbit/s ${fwcmd} add 523 pipe 23 all from any to 192.168.2.14 in via nfe0 ${fwcmd} add 524 pipe 24 all from 192.168.2.14 to any in via rl0 # Nicu Bivol ${fwcmd} pipe 25 config bw 256Kbit/s ${fwcmd} pipe 26 config bw 85Kbit/s ${fwcmd} add 525 pipe 25 all from any to 192.168.2.15 in via nfe0 ${fwcmd} add 526 pipe 26 all from 192.168.2.15 to any in via rl0 ;; esac Limits network clients' internet bandwidth to 256/85 Kbit/s. Does NOT limit clients' bandwidth to the gateway itself. 2 little sentences describes so much ipfw! |
|
||||
"in" and "out" refer to whether the packet is entering an interface (coming from outside the box, receiving) or leaving the interface (sending).
All packets that go through a router/firewall will come "in" on one interface, and go "out" on another. All packets that originate on the firewall and are being sent to another system, will go "out" an interface. All packets destined for the firewall (originated on another system) will go "in" an interface. Thus, all your rules should specify which direction the traffic is going, and which interface it is using. If you want to bandwidth limit traffic going through the firewall, the rules would be similar to (where nfe0 is the external, public facing interface): Code:
${fwcmd} pipe 15 config bw 256Kbit/s ${fwcmd} pipe 16 config bw 85Kbit/s ${fwcmd} add 515 pipe 15 all from any to 192.168.2.10 in recv nfe0 ${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any out xmit nfe0 Does that clear things up a bit? |
|
||||
phoenix,
I tried your format. The clients were not able to get out of/past the server at all. I had to add this line: Code:
${fwcmd} add 65200 allow all from any to any via ${int_if} Any ideas? Last edited by Weaseal; 13th August 2008 at 02:13 PM. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
how to configure ipfw with 4 modems??? | m4st3rcr4zy | FreeBSD General | 0 | 13th February 2009 06:26 AM |
looking for good ipfw resources | dk_netsvil | General software and network | 0 | 15th August 2008 04:05 PM |
A P2P controlling tool at last - ipfw-classifyd | s0xxx | FreeBSD Ports and Packages | 0 | 3rd August 2008 09:49 AM |
ipfw question | Johnny2Bad | FreeBSD General | 2 | 21st May 2008 12:16 AM |
ipfw destination nat problem | mitak | FreeBSD General | 2 | 15th May 2008 02:36 PM |