ipfw + altq + pf + ipfw-classifyd identifying/queuing ftp traffic
alan yang
alancyang at gmail.com
Sat Dec 10 01:39:12 UTC 2011
Hello,
I have the following setup in trying to identify ftp traffic with
ipfw-classifyd and direct ftp traffic into ALTQ CBQ queue, and non-ftp
traffic should not go through the ftp queue. With 'ipfw show' and
'pfctl -s queue -v' command, at run time with ping and ftp, I have
couple questions;
1) the re-injected diverted packet with fwrule (1000), should it
match rule 63001 and be directed to ftp queue?
2) for non ftp traffic, should it match rule 1000 and NOT be directed
to ftp queue?
>From 'pfctl -s queue -v' command, it seems ALL traffics got through
ALTQ ftp queue.
Wonder people could shed some light on the right rule configuration,
and how to verify the ipfw processing of reinjected diverted packets
with more ALTQ debugging?
Thanks in advance!
Alan
---
ipfw rules:
#! /bin/sh
ipfw -f flush
ipfw pipe 1 config bw 256Kbit/s queue 30
ipfw pipe 2 config bw 256Kbit/s queue 30
ipfw add 400 divert 7777 tcp from any to any via em0
ipfw add 410 divert 7777 udp from any to any via em0
ipfw add 1000 allow ip from any to any
ipfw add 63000 allow altq ftp ip from any to any in diverted
ipfw add 63001 allow altq ftp ip from any to any out diverted
ipfw add 64000 pipe 1 log ip from any to any in diverted
ipfw add 64001 pipe 2 log ip from any to any out diverted
/etc/pf.conf
altq on emo cbq bandwidth 5Mb queue { ftp }
queue ftp bandwidth 10% cbq(default)
ipfw-classifyd
/usr/local/sbin/ipfw-classifyd p 7777
ipfw-classifyd configuration file has ftp = 1000
More information about the freebsd-ipfw
mailing list