ipfw - accessing DMZ from LAN , pipes

Emil Muratov gpm at hotplug.ru
Wed Nov 30 10:47:33 UTC 2011 

On 29.11.2011 02:36, Marek Salwerowicz wrote:
> Hello after a longer break ;)
>
> W dniu 2011-10-01 22:02, Freddie Cash pisze:
>>
>>
>> However, you could setup split-DNS or views and just configure 
>> everything to
>> connect using hostnames. It's extra work to setup, but does make things
>> easier down-the-road.
> I've set up the DNS with views and since one month everything has been 
> working perfectly (I set up the firewall at small net5501 soekris box) 
> - thanks a lot for your help !
>
> I am confused about one thing - I wanted to set up pipes for my DMZ 
> hosts (not to allow my hosts to consume all the bandwidth).
> When I set up the pipes at the beginning of my firewall (before 
> configuring the NAT) - the  whole traffic is blocked.
> When I set up the pipes ad the end of firewall - they don't work (even 
> 'ipfw show' shows no packets coming through 'pipe' rules).
>
This happens 'cause pipe directive "permits" packet by default and it 
never reaches nat rule afterward. I would recommend you the following 
approach:
first take a look at what a sysctl net.inet.ip.fw.one_pass=0 does. The 
default value of 1 makes rules like pipe,nat or netgraph behave as 
accept if packet is returned from pipe. If this var is set to 0 than a 
packet returned from pipe continues processing from the next rule after 
the one it was returned from.
So with the nat for outgoing traffic it would be nice to pipe it before 
nat changes src addresses and on the contrary for ingoing traffic pipe 
it only after nat dealiases dst address. With this approach you will be 
able to classify your packets with their real unmasked addresses and 
build more flexible shaping rules.
For ex. this config will allow you to distribute available bandwidth of 
the pipe evenly among all your dmz hosts and not to hog it all by one 
aggressive host.

sysctl net.inet.ip.fw.one_pass=0
$ipfw pipe 100 config bw 5Mbit/s queue 50
$ipfw queue 200 config pipe 100 mask src-ip 0xffffffff
$ipfw queue 200 ip from $dmz_subnet to any out xmit $if_wan
$ipfw nat 100 ip from $dmz_subnet to any out xmit $if_wan
$ipfw allow ip from $natip to any out xmit $if_wan


> Where should be the pipe rules placed?
> Does it matter if I do first 'ipfw add pipe 1...' and then 'ipfw pipe 
> 1 config...' ?
>

More information about the freebsd-net mailing list