Re: Limit Session Bandwidth
On 1/6/13 10:59 PM, Sami Halabi wrote: Hi, Thank you for the help. sysctl net.inet.ip.fw.one_pass=0 introduces some issues to my configuration limits in my current configuration, because limits aren't applied correctly since we continue after the pipe, eg: i had: 1900 pipe 1000 all from x.y.z.1 to any 2000 pipe 1001 all from any to x.y.z.1 2100 pipe 2000 all from x.y.z.0/24 to any 2100 pipe 2001 all from any to x.y.z.0/24 look at using the tablearg option with the pipe command. 1900 pipe tablearg all from table(1) to any 1902 pipe tablearg all from any to table(2) should allow you to do it all in 2 rules if you set up the table correctly. Tablearg in not mentioned in the 'pipe' command help entry but pipe IS mentioned in the tablearg section. let me know if it works! Julian . . more pipes . .. 6500 allow all from any to any so the I had special limit(large) for x.y.z.1 IP but another limit in the whole /24 that i didn't want it to affect. any ideas how to solve it? i thought about skipto but I'm not sure how to use. Sami On Sun, Jan 6, 2013 at 1:37 AM, Luigi Rizzo ri...@iet.unipi.it wrote: On Sat, Jan 05, 2013 at 02:51:07PM +0200, Sami Halabi wrote: Hi Luigi Ozkan, Thanks for the response. Luigi i saw you said in some list never trust italians :), so i went step by step. first i put: me out from a pipe sysctl net.inet.ip.fw.one_pass=0 ipfw pipe 123 config bw 1Mbit/s mask all ipfw add 100 pipe 123 out ipfw add 120 allow ip from any to any Works like a charm. Next Step wil be: ipfw pipe 456 config bw 10Mbit/s ipfw sched 789 config mask all pipe 123 or it should be: ipfw sched 789 config mask all pipe 456 the latter. ipfw add 110 queue 789 out whats is the correct configuration ? the mask options isn't well documented, in the handbook its not even mentiond. the manpage is slightly more up to date. The handbook is probably years behind. cheers luigi same goes for scheduler... I got the feeling that only few here know the options very welll... maybe I'm wrong? Sami On Thu, Jan 3, 2013 at 12:46 PM, ?zkan KIRIK ozkan.ki...@gmail.com wrote: I think there is a mistake at the sched config line. it should be as ipfw sched 789 config mask all pipe 456 On Thu, Jan 3, 2013 at 10:29 AM, Luigi Rizzo ri...@iet.unipi.it wrote: ipfw sched 789 config mask all pipe 123 -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Current problem reports assigned to freebsd-ipfw@FreeBSD.org
Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description o kern/174749 ipfw Unexpected change of default route o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046ipfw [ipfw] ipfw2 error: setup is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o bin/65961ipfw [ipfw] ipfw2 memory corruption inside add() o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 44 problems total. ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
rules fore core router
Hi, i have a core router that i want to enable firewall on it. is these enough for a start: ipfw add 100 allow all from any to any via lo0 ipfw add 25000 allow all from me to any ipfw add 25100 allow ip from table(7) to me dst-port 179 #ipfw add 25150 allow ip from table(7) to me ipfw add 25200 allow ip from table(8) to me dst-port 161 #ipfw add 25250 allow ip from table(8) to me ipfw add 25300 allow all from any to me dst-port 22 ipfw add 25400 allow icmp from any to any ipfw add 25500 deny all from any to me ipfw add 23 allow all from any to any while table-7 are my BGP peers, table-8 my NMS. do i need to open anything more? any routing protocol/forwarding plan issues? another thing: i plan to add the following rule ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs to do anything else? Thanks in advance, -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
