Dummynet with Dynamic IPFW Rules
RW
list-freebsd-2004 at morbius.sent.com
Sat Feb 25 17:34:13 PST 2006
I've been looking into using Dummynet for outgoing traffic, and I've found it
hard going because the tutorials and how-to's deal with it in isolation,
without indicating how it would be used in a real firewall. They generally
suggest setting net.inet.ip.fw.one_pass=1, which as I understand it, implies
that any packet passed into dummynet is passed statically though the
firewall.
I want to keep my existing dynamic rules, and it seems that one way would be
to keep net.inet.ip.fw.one_pass=0 and follow each dummynet rule with a skipto
rule that uses an identical test. So when the packet emerges from dummynet
it skips the other pipe and queue rules, and hits the check-state.
Something like this:
--------------------------------------------------------------------------------------
...
#prioritize small ack packets
0500 queue 1 tcp from any to any out via vr0 tcpflags ack iplen 0-80
0501 skipto 1000 tcp from any to any out via vr0 tcpflags ack iplen 0-80
#prioritize ntp
0600 queue 1 tcp from any to any out ntp via vr0
0601 skipto 1000 tcp from any to any out ntp via vr0
<other queuing rules>
1000 check-state
1010 deny tcp from any to any in established
1020 allow tcp from any to any out setup keep-state
1030 allow udp from any to any ntp out keep-state
<other statefull rules>
--------------------------------------------------------------------------------------
Will this work? And is it the best way to handle this problem? It seems a bit
clumsy.
More information about the freebsd-questions
mailing list