ipwf dummynet vs. kernel NAT and firewall rules
Julian Elischer
julian at freebsd.org
Thu Mar 10 20:29:31 UTC 2016
On 9/03/2016 9:32 AM, Don Lewis wrote:
> I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this
> patch: <http://caia.swin.edu.au/freebsd/aqm/downloads.html>, but I'm
> running into a problem that I think is caused by an interaction between
> in-kernel NAT and dummynet. I've set up two dummynet pipe/sched/queue
> instances using example 3.3a from this document
> <http://caia.swin.edu.au/freebsd/aqm/patches/README-0.1.txt> with the
> appropriate bandwidths, but otherwise default tunings to shape both
> inbound and outbound traffic. My inside network is a /24 and I have an
> external /29 (ext/29) network that I don't want to rate limit. My
> outside network interface is re0. I'm using the /etc/rc.firewall
> "simple" firewall configuration.
>
> The problem that I'm having crops up when I actually try to add the
> firewall rules to select the traffic that I want to rate limit. The
> first rule in the list is:
> 100 allow ip from any to any via lo0
> The second rule is numbered 200 and is first anti-spoofing rule. If
> I add *either* of these two rules, then I'm no longer able to
> communicate between hosts on my internal network and the rest of the
> world:
>
> ipfw 110 add queue 1 ip from not ext/29 to any in recv re0
> ipfw 120 add queue 2 ip from any to not ext/29 out xmit re0
>
> It seems like the inbound rule should be early in the rule list so that
> any inbound traffic that gets dropped by the firewall rules gets counted
> even if it is dropped by later rules. It also seems like the outbound
> rule needs to be before any allow rules since an allow rule would skip
> the remaining rules and would not count that traffic. Unfortunately the
> ipfw documentation doesn't really describe the interaction between
> dummynet, NAT, and other firewall rules.
>
> Unfortunately this is a live system, so it is difficult to do controlled
> experiments and look at the ipfw counters to see where things might be
> going into the weeds ...
ok so you need to do what I always tell people.. split your rules into
separate incoming and outgoing rule sets.
so your first rule should be:
skipto 10000 all from any to any in.
and have separate sets of rules for incoming and outgoing packets.
Then you should always set one_pass to 0 and expect your packets to
come back to the firewall at the next number.
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list