How does ipfilter/ipnat (for filtering) connect to ipfw/dummynet (for QoS)?

Seth Henry jshamlet at hotmail.com
Thu Oct 21 20:17:02 PDT 2004 

Guys,
I appreciate the help with the DNS problem. Between several folks emailing 
me with tips or examples, I have managed to get my DNS server up and 
running. I wish I had saved the address, as there is a very thorough HOWTO 
for exactly the sort of setup I was describing. BTW - as a tip to those 
setting up a DNS server on a router that uses dhclient for obtaining a WAN 
address, add the following to your dhclient.conf file:

interface "fxp0" {
        supersede domain-name "alexandria.homeunix.net";
        supersede domain-name-servers 192.168.1.1;
}

This keeps your resolv.conf file from getting overwritten.

Now, onto the question.

I have an existing ipfilter/ipnat setup running on my router. I would like 
to add QoS using ipfw/dummynet. I have found a very nice HOWTO on QoS at 
http://www.bsdnews.org/02/dummynet.php, and, of course, I have a working 
ipfilter/ipnat setup. What I don't get is how to chain them together. (yes, 
I realize routing speed will suffer - but it's a cable modem, and the router 
is a PIII-1.2GHz with plenty of RAM)

So, could someone fill in the gozinta's and gozouta's of this setup? I'm not 
even sure which should come first. I would assume ipfilter, as it is 
providing the firewall functionality - but I'm not sure. That said, I'm not 
sure what to "hook up" ipfw to? The internal I/F, external I/F, some virtual 
port?

That said, I'd even be willing to look into using ipfw/natd as the firewall. 
My rules aren't that complex -
<ipf.rules>
#################################################################
# Outside Interface
#################################################################

# FTP interface - allow from work & home only
pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 21 flags S 
keep frags keep state
pass in quick on fxp0 proto tcp from xxx.xx.0.0/16 to any port = 21 flags S 
keep frags keep state

# Primary SSH (file server) - allow from work & home only
pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 22 flags S 
keep frags keep state
pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 22 flags S 
keep frags keep state

# Router SSH access - allow from work & home only
pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 23 flags S 
keep frags keep state
pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 23 flags S 
keep frags keep state

# DNS queries
pass in quick on fxp0 proto tcp from any to any port = 53 flags S keep frags 
keep state

# DHCP port - this should be available to the Comcast DHCP server only - but 
where is it?
pass in log quick on fxp0 proto udp from any to any port = 68 keep state

# Test port (using POP3 port) from work only
pass in quick on fxp0 proto tcp from xxx.xxx.0.0/16 to any port = 110 flags 
S keep frags keep state

# NTP inbound - courtesy to the remote NTP server
pass in log quick on fxp0 proto tcp from 192.5.41.0/24 to any port = 123 
flags S keep frags keep state

pass out quick on fxp0 proto tcp from any to any flags S keep frags keep 
state
pass out quick on fxp0 proto udp from any to any keep state keep frags
pass out quick on fxp0 proto icmp from any to any keep state

block out quick on fxp0 all
block in log quick on fxp0 all

#################################################################
# Inside Interfaces
#################################################################
pass in quick on xl0 all
pass out quick on xl0 all

#################################################################
# Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all

<ipnat.rules>
map fxp0 192.168.1.254/24 -> 0/32 proxy port ftp ftp/tcp
rdr fxp0 0.0.0.0/0 port 21 -> 192.168.1.2 port 21 tcp
rdr fxp0 0.0.0.0/0 port 22 -> 192.168.1.2 port 22 tcp
rdr fxp0 0.0.0.0/0 port 110 -> 192.168.1.7 port 110 tcp
#below is a irc identd port forwarding example
#rdr fxp0 0.0.0.0/0 port 113 -> 192.168.1.5 port 113 tcp
map fxp0 192.168.1.254/24 -> 0/32 portmap tcp/udp auto
map fxp0 192.168.1.254/24 -> 0/32

Seriously guys, this is the last question (for a while ;) I'm almost there 
with this gateway router. All I really want to do is make sure my 
vonage/Cisco ATA has all the bandwidth it wants, and everything else gets 
what's left. The trick is, I managed to educate myself on ipfilter/ipnat - I 
almost hate to start over with a new package now.

If there is another way to do this - I'm open to that as well. I've been 
reading about something called ALTQ - but I'm still running 4.10-REL on this 
machine. I hesitate to upgrade until 5-STABLE is out.

Thanks,
Seth Henry

_________________________________________________________________
Get ready for school! Find articles, homework help and more in the Back to 
School Guide! http://special.msn.com/network/04backtoschool.armx

More information about the freebsd-questions mailing list