Setting IPFW rules

Setting IPFW rules

Post by aRVi » Sat, 17 Nov 2001 02:46:11



Hi all,

My problem is this one: I have a network, which has a relatively slow
connection out to the world. And due to a lots of ftp traffic, other
services (like ssh, telnet, vnc..etc) are getting very slow because of high
ping and packet loss. Therefore, I would like to set priority to packets at
different ports (for the firewall to handle these packets prior to the other
ones - like ftp). And this is it. How to create rule for this?
I have tried sometning like this, but didn't work:

ipfw pipe 10 config weight 1
ipfw add pipe 10 udp from any to any 27960-27966

I don't want to strictly restrict the bandwitch for ftp (to have full use of
the line for ftp when not using the other services). And even if I'd decide
to do so (rules for this work fine), I don't know, what ports to restrict
( 21 only doesn't work, cause a lot of users download from different ftp
ports).

Can anyone be helpful?
Thanks a lot!

--
[:aRVi:]

ICQ: 56909029

 
 
 

Setting IPFW rules

Post by Vaclav Svate » Sat, 17 Nov 2001 06:18:47



> Hi all,

> My problem is this one: I have a network, which has a relatively slow
> connection out to the world. And due to a lots of ftp traffic, other
> services (like ssh, telnet, vnc..etc) are getting very slow because of high
> ping and packet loss. Therefore, I would like to set priority to packets at
> different ports (for the firewall to handle these packets prior to the other
> ones - like ftp). And this is it. How to create rule for this?
> I have tried sometning like this, but didn't work:

> ipfw pipe 10 config weight 1
> ipfw add pipe 10 udp from any to any 27960-27966

> I don't want to strictly restrict the bandwitch for ftp (to have full use of
> the line for ftp when not using the other services). And even if I'd decide
> to do so (rules for this work fine), I don't know, what ports to restrict
> ( 21 only doesn't work, cause a lot of users download from different ftp
> ports).

> Can anyone be helpful?
> Thanks a lot!

> --
> [:aRVi:]

> ICQ: 56909029

Hey man,
some poor boy was asking the very same thing a few threads below and
didn't get any answer :o(. Probably nobody know... Try to look for a
contact to some of that guys who lectured on Openweekend, which we
unfortunately missed. Especially Michal Kutnohorsky (freebsd.cz).
Have a nice day,
your admin :o)
V.

 
 
 

Setting IPFW rules

Post by aRVi » Sat, 17 Nov 2001 07:04:23


Well, this "poor" boy has already asked Michal, and guess what? Michal
didn't know either :-( So this was the second step after asking him. Should
you have any other ideas, don't hasitate and help. Thx man :-)

--
[:aRVi:]

ICQ: 56909029



> > Hi all,

> > My problem is this one: I have a network, which has a relatively slow
> > connection out to the world. And due to a lots of ftp traffic, other
> > services (like ssh, telnet, vnc..etc) are getting very slow because of
high
> > ping and packet loss. Therefore, I would like to set priority to packets
at
> > different ports (for the firewall to handle these packets prior to the
other
> > ones - like ftp). And this is it. How to create rule for this?
> > I have tried sometning like this, but didn't work:

> > ipfw pipe 10 config weight 1
> > ipfw add pipe 10 udp from any to any 27960-27966

> > I don't want to strictly restrict the bandwitch for ftp (to have full
use of
> > the line for ftp when not using the other services). And even if I'd
decide
> > to do so (rules for this work fine), I don't know, what ports to
restrict
> > ( 21 only doesn't work, cause a lot of users download from different ftp
> > ports).

> > Can anyone be helpful?
> > Thanks a lot!

> > --
> > [:aRVi:]

> > ICQ: 56909029
> Hey man,
> some poor boy was asking the very same thing a few threads below and
> didn't get any answer :o(. Probably nobody know... Try to look for a
> contact to some of that guys who lectured on Openweekend, which we
> unfortunately missed. Especially Michal Kutnohorsky (freebsd.cz).
> Have a nice day,
> your admin :o)
> V.

 
 
 

Setting IPFW rules

Post by DrCla » Sat, 17 Nov 2001 14:51:59


OK - here's a few things to check :

1. If you are using pipes, and you need them reinjected into the rules after
applying the pipe (recall that with IPFW as soon as it finds a pipe, it
applies the pipe then skips the rest of the rules) you need to set the
following sysctl variable (from the man page for IPFW)

net.inet.ip.fw.one_pass: 1
             When set, the packet exiting from the dummynet(4) pipe is not
             passed though the firewall again.  Otherwise, after a pipe
             action, the packet is reinjected into the firewall at the next
             rule.

Therefore to set it up you will need something like this in your ruleset :
(taken from my ruleset)

#Stuff that needs to be matched before NATD (ie matching via source IP)
add pipe 1 ip from 10.0.0.3 to any out xmit ed1

#NATD GOES HERE
add divert natd all from any to any via ed1

#Stuff that needs to be matched after NATD (ie destination computers etc)
add pipe 2 ip from any to 10.0.0.3 in recv ed1

#Bandwidth pipe configuration stuff.
pipe 1 config bw 64Kbit/s queue 10Kbytes
pipe 2 config bw 64Kbit/s queue 10Kbytes

I would imagine that for a 'per port' bandwidth limit, you'd just do
something like :

add pipe X tcp from any to any 21 in recv ed1
add allow tcp from any to any 21 in recv ed1

And this would put all that stuff through the pipe. Note you would probably
want to put this before the rule allowing that packet through as shown. Note
i have no idea if this will work - this is just my interpretation of what
you want to do, and I don't have the time to test this out :)

HTH


> Hi all,

> My problem is this one: I have a network, which has a relatively slow
> connection out to the world. And due to a lots of ftp traffic, other
> services (like ssh, telnet, vnc..etc) are getting very slow because of
high
> ping and packet loss. Therefore, I would like to set priority to packets
at
> different ports (for the firewall to handle these packets prior to the
other
> ones - like ftp). And this is it. How to create rule for this?
> I have tried sometning like this, but didn't work:

> ipfw pipe 10 config weight 1
> ipfw add pipe 10 udp from any to any 27960-27966

> I don't want to strictly restrict the bandwitch for ftp (to have full use
of
> the line for ftp when not using the other services). And even if I'd
decide
> to do so (rules for this work fine), I don't know, what ports to restrict
> ( 21 only doesn't work, cause a lot of users download from different ftp
> ports).

> Can anyone be helpful?
> Thanks a lot!

> --
> [:aRVi:]

> ICQ: 56909029

 
 
 

Setting IPFW rules

Post by DrCla » Sat, 17 Nov 2001 20:34:48


Oh, i forgot the priority thingy :) Thought that i missed something...
whoops :)

I was going to suggest that you could increase the delay for the slower
pipes, say add a 100ms delay or something... and have priority pipes at 0
delay?

I can't find any info on the weight field you've specified... hmmm might be
time to delve into some source code :)


> OK - here's a few things to check :

> 1. If you are using pipes, and you need them reinjected into the rules
after
> applying the pipe (recall that with IPFW as soon as it finds a pipe, it
> applies the pipe then skips the rest of the rules) you need to set the
> following sysctl variable (from the man page for IPFW)

> net.inet.ip.fw.one_pass: 1
>      When set, the packet exiting from the dummynet(4) pipe is not
>      passed though the firewall again. Otherwise, after a pipe
>      action, the packet is reinjected into the firewall at the next
>      rule.

> Therefore to set it up you will need something like this in your ruleset :
> (taken from my ruleset)

> #Stuff that needs to be matched before NATD (ie matching via source IP)
> add pipe 1 ip from 10.0.0.3 to any out xmit ed1

> #NATD GOES HERE
> add divert natd all from any to any via ed1

> #Stuff that needs to be matched after NATD (ie destination computers etc)
> add pipe 2 ip from any to 10.0.0.3 in recv ed1

> #Bandwidth pipe configuration stuff.
> pipe 1 config bw 64Kbit/s queue 10Kbytes
> pipe 2 config bw 64Kbit/s queue 10Kbytes

> I would imagine that for a 'per port' bandwidth limit, you'd just do
> something like :

> add pipe X tcp from any to any 21 in recv ed1
> add allow tcp from any to any 21 in recv ed1

> And this would put all that stuff through the pipe. Note you would
probably
> want to put this before the rule allowing that packet through as shown.
Note
> i have no idea if this will work - this is just my interpretation of what
> you want to do, and I don't have the time to test this out :)

> HTH



> > Hi all,

> > My problem is this one: I have a network, which has a relatively slow
> > connection out to the world. And due to a lots of ftp traffic, other
> > services (like ssh, telnet, vnc..etc) are getting very slow because of
> high
> > ping and packet loss. Therefore, I would like to set priority to packets
> at
> > different ports (for the firewall to handle these packets prior to the
> other
> > ones - like ftp). And this is it. How to create rule for this?
> > I have tried sometning like this, but didn't work:

> > ipfw pipe 10 config weight 1
> > ipfw add pipe 10 udp from any to any 27960-27966

> > I don't want to strictly restrict the bandwitch for ftp (to have full
use
> of
> > the line for ftp when not using the other services). And even if I'd
> decide
> > to do so (rules for this work fine), I don't know, what ports to
restrict
> > ( 21 only doesn't work, cause a lot of users download from different ftp
> > ports).

> > Can anyone be helpful?
> > Thanks a lot!

> > --
> > [:aRVi:]

> > ICQ: 56909029

 
 
 

1. IPFW rule set numbers

Hi All,

This is the default way IPFIREWALL running natd fires up(open system).
Is this OK?

00100  122931   61885185 divert 8668 ip from any to any via xl1
00100   14276    1431190 allow ip from any to any via lo0

2. NT-Samba Password

3. Applying ipfw rules remotely...

4. Looking Ip-filter for sunOS 5.1.1

5. IPFW rules with dynamic IP

6. install

7. Help with ipfw rules...

8. Still no S3 Trio3D support in XFree86 3.3.3.1???

9. Firewall ipfw rules: Blocking whole domains ?

10. IPFW Dynamic rule explanation needed

11. ipfw rule to filter out BOOTP requests?

12. basic ipfw rules?

13. missing ipfw rule