Re: bandwidth limiting

From: Otto Kucera <ok(at)72pixel.at>
Date: Wed, 15 Oct 2003 18:52:04 +0200

hallo christian!

ich weiß es ehrlich gesagt nicht. mein ipfilter erlaubt zb. port 80.
wenn ich jetzt die bandbreite limitiere für port 80 dann geht port 80
nicht mehr ????

diese config besteht nur zu test zwecken.

otto
-> meine config:

ipfw.rules:
/sbin/ipfw -f flush
/sbin/ipfw pipe 1 config bw 128Kbit/s
/sbin/ipfw add pipe 1 tcp from any to any 80 via fxp0

ipf.rules:
#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Interface: all
# Block all incoming and outgoing packets unless they're allowed later.
#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
block in log all
block out log all

# -------------------------------------------------------------------------
# Interface: lo0
# Allow loopback to flow freely.
# -------------------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
# -------------------------------------------------------------------------

# -------------------------------------------------------------------------
# Interface: rl0
# Allow internal traffic to flow freely.
# -------------------------------------------------------------------------
pass in quick on rl0 all
pass out quick on rl0 all
# -------------------------------------------------------------------------

# -------------------------------------------------------------------------
# Interface: gif0
# Allow internal traffic to flow freely.
# -------------------------------------------------------------------------
pass in quick on gif0 all
pass out quick on gif0 all
# -------------------------------------------------------------------------

# -------------------------------------------------------------------------
# Interface: fxp0
# Allow _internal_ and fw initiated connections from hosts behind NAT to
# outside world. Additional permit individual type of service to flow
freely
# to outside world should be added in this section.
# -------------------------------------------------------------------------

# pass in quick on fxp0 all
# pass out quick on fxp0 all

# [ IPSEC]

# IPSEC related
pass in on fxp0 proto esp from 81.223.12.18/32 to 80.110.48.215/32
pass out on fxp0 proto esp from 80.110.48.215/32 to 81.223.12.18/32
pass in on fxp0 proto udp from 81.223.12.18/32 port = 500 to
80.110.48.215/32 port = 500
pass out on fxp0 proto udp from 80.110.48.215/32 port = 500 to
81.223.12.18/32 port = 500
pass in on fxp0 proto ipencap from 81.223.12.18/32 to 80.110.48.215/32
pass out on fxp0 proto ipencap from 80.110.48.215/32 to 81.223.12.18/32

#[fistclass client]
pass out quick on fxp0 proto tcp from any to any port = 510 flags S keep
state keep frags

# [sof]
pass out quick on fxp0 proto udp from any to any port = 28910 keep state
keep frags
pass out quick on fxp0 proto udp from any to any port = 28911 keep state
keep frags
pass out quick on fxp0 proto udp from any to any port = 28912 keep state
keep frags
pass out quick on fxp0 proto udp from any to any port = 28913 keep state
keep frags
pass out quick on fxp0 proto udp from any to any port = 28914 keep state
keep frags
pass out quick on fxp0 proto udp from any to any port = 28915 keep state
keep frags
pass out quick on fxp0 proto tcp from any to any port = 28910 keep state
keep frags
pass out quick on fxp0 proto tcp from any to any port = 28911 keep state
keep frags
pass out quick on fxp0 proto tcp from any to any port = 28912 keep state
keep frags
pass out quick on fxp0 proto tcp from any to any port = 28913 keep state
keep frags
pass out quick on fxp0 proto tcp from any to any port = 28914 keep state
keep frags
pass out quick on fxp0 proto tcp from any to any port = 28915 keep state
keep frags

# [passive ftp client to outside world step 1]
pass out quick on fxp0 proto tcp from any to any port > 1023 flags S
keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 21 flags S keep
state keep frags

# [ssh]
pass in quick on fxp0 proto tcp from 81.223.12.18/32 to 80.110.48.215/32
port = 22 flags S keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 22 flags S keep
state keep frags

# [smtp to outside world]
pass out quick on fxp0 proto tcp from any to any port = 25 flags S keep
state keep frags

# [whois to outside world]
pass out quick on fxp0 proto tcp from any to any port = 43 flags S keep
state keep frags

# [domain to outside world]
pass out quick on fxp0 proto tcp from any to any port = 53 flags S keep
state keep frags
pass out quick on fxp0 proto udp from any to any port = 53 keep state
keep frags

# [http to outside world]
pass out quick on fxp0 proto tcp from any to any port = 80 flags S keep
state keep frags

# [pop3, imap, imaps to outside world]
pass out quick on fxp0 proto tcp from any to any port = 110 flags S keep
state keep frags
pass out quick on fxp0 proto tcp from any to any port = 143 flags S keep
state keep frags
pass out quick on fxp0 proto tcp from any to any port = 993 flags S keep
state keep frags

# [https to outside world]
pass out quick on fxp0 proto tcp from any to any port = 443 flags S keep
state keep frags

# [passive ftp to outside world step 2 where the FTP server decides
which port for ftp data back]
pass out quick on fxp0 proto tcp from any to any port > 1023 flags S
keep state keep frags

# [traceroute to outside world 1st stage: probing...man traceroute(8)]
pass out quick on fxp0 proto udp from any to any port 33434 >< 33525
keep state keep frags

# [ping to outside world]
pass out quick on fxp0 proto icmp from any to any keep state keep frags

# -------------------------------------------------------------------------
# Allow _external_ initiated connections from outside world to hosts behind
# NAT and the firewall.
# -------------------------------------------------------------------------
# [dhclient]
pass in quick on fxp0 proto udp from any to any port = 68 keep state
keep frags

# [traceroute to internal host 2nd stage: receiving error code of
icmp-type 3
# (destination unreachable) and icmp-type 11 (time exceeded)]

pass in quick on fxp0 proto icmp from any to any icmp-type 3 keep state
keep frags
pass in quick on fxp0 proto icmp from any to any icmp-type 11 keep state
keep frags

# -------------------------------------------------------------------------
# Interface: fxp0
# Since there are no permit(pass) rules at this stage, everything else is
# blocked!
# -------------------------------------------------------------------------

Christian Damm wrote:

> ich verwende auf einigen FreeBSD 4.x installationen (meistens router/firewalls) IPFILTER in verbindung mit IPFW.
> IPFILTER für klassische firewall/packet filter funktionalität und IPFW rein für traffic shaping via DUMMYNET.
>
> - die combo machte bisher keine troubles, was klappt bei dir nicht?
>
>
>
> mfg.
>
> christian damm
> technische leitung
> phone: dw 42
> email: christian.damm(at)diewebmaster.at
> icq at work: 124464652
>
> die webmaster - flötzerweg 156 - 4030 linz - austria
> phone: +43-732-381242, fax: +43-732-381242-22, isdn (leonardo): +43-732-381242-33
> homepage: www.diewebmaster.at, public email: office(at)diewebmaster.at
>
> ----- Original Message -----
> From: "Otto Kucera" <ok(at)72pixel.at>
> To: <de-bsd-questions(at)de.freebsd.org>
> Sent: Wednesday, October 15, 2003 4:49 PM
> Subject: bandwidth limiting
>
>
>
>>hallo!
>>
>>mit was betreibe ich am besten bandwidth limiting? ipfw in kombination
>>ipf hat mich schon zuviel zeit gekostet.
>>
>>irgendwelche empfehlungen?
>>
>>otto
>>
>>--
>>-----------------------------------
>>Otto Kucera
>>A-1020 Wien Engerthstrasse 137/6/7
>>Tel: +43 699 1 942 30 91 [neue Nummer!]
>>Email: ok(at)72pixel.at
>>Icq: 65351173
>>-----------------------------------
>>
>>And root said rm -rf / ......and there was nothing
>>
>>Your mailserver MUST resolve properly (Fully Qualified Domain Name) or
>>the mail will not go through!
>>
>>
>>To Unsubscribe: send mail to majordomo.FreeBSD.org
>>with "unsubscribe de-bsd-questions" in the body of the message
>
>

-- 
-----------------------------------
Otto Kucera
A-1020 Wien Engerthstrasse 137/6/7
Tel: +43 699 1 942 30 91 [neue Nummer!]
Email: ok(at)72pixel.at
Icq: 65351173
-----------------------------------
And root said rm -rf /     ......and there was nothing
Your mailserver MUST resolve properly (Fully Qualified Domain Name) or 
the mail will not go through!

/sbin/ipfw -f flush
/sbin/ipfw pipe 1 config bw 128Kbit/s
/sbin/ipfw pipe 2 config bw 348Kbit/s

# /sbin/ipfw add pipe 1 tcp from any to any 1025-65535 via fxp0
# /sbin/ipfw add pipe 1 tcp from any to any 20,21 via fxp0

# /sbin/ipfw add pipe 1 tcp from 80.110.48.215 to any 1025-65535 via fxp0
# /sbin/ipfw add pipe 1 tcp from 80.110.48.215 to any 20,21 via fxp0

# /sbin/ipfw add pipe 1 tcp from any to any 80 via fxp0
# ipfw add allow tcp from any to any 80 via fxp0 setup

# /sbin/ipfw add pipe 1 tcp from any to any in via fxp0
# /sbin/ipfw add pipe 1 tcp from any to any out via fxp0

# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Interface: all
# Block all incoming and outgoing packets unless they're allowed later.
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
block in log all
block out log all

# -------------------------------------------------------------------------
# Interface: fxp0
# Allow _internal_ and fw initiated connections from hosts behind NAT to
# outside world. Additional permit individual type of service to flow freely
# to outside world should be added in this section.
# -------------------------------------------------------------------------

# pass in quick on fxp0 all
# pass out quick on fxp0 all

# [ IPSEC]

# IPSEC related
pass in on fxp0 proto esp from 81.223.12.18/32 to 80.110.48.215/32
pass out on fxp0 proto esp from 80.110.48.215/32 to 81.223.12.18/32
pass in on fxp0 proto udp from 81.223.12.18/32 port = 500 to 80.110.48.215/32 port = 500
pass out on fxp0 proto udp from 80.110.48.215/32 port = 500 to 81.223.12.18/32 port = 500
pass in on fxp0 proto ipencap from 81.223.12.18/32 to 80.110.48.215/32
pass out on fxp0 proto ipencap from 80.110.48.215/32 to 81.223.12.18/32

#[fistclass client]
pass out quick on fxp0 proto tcp from any to any port = 510 flags S keep state keep frags

# [sof]
pass out quick on fxp0 proto udp from any to any port = 28910 keep state keep frags
pass out quick on fxp0 proto udp from any to any port = 28911 keep state keep frags
pass out quick on fxp0 proto udp from any to any port = 28912 keep state keep frags
pass out quick on fxp0 proto udp from any to any port = 28913 keep state keep frags
pass out quick on fxp0 proto udp from any to any port = 28914 keep state keep frags
pass out quick on fxp0 proto udp from any to any port = 28915 keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 28910 keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 28911 keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 28912 keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 28913 keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 28914 keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 28915 keep state keep frags

# [passive ftp client to outside world step 1]
pass out quick on fxp0 proto tcp from any to any port > 1023 flags S keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 21 flags S keep state keep frags

# [ssh]
pass in quick on fxp0 proto tcp from 81.223.12.18/32 to 80.110.48.215/32 port = 22 flags S keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 22 flags S keep state keep frags

# [smtp to outside world]
pass out quick on fxp0 proto tcp from any to any port = 25 flags S keep state keep frags

# [whois to outside world]
pass out quick on fxp0 proto tcp from any to any port = 43 flags S keep state keep frags

# [domain to outside world]
pass out quick on fxp0 proto tcp from any to any port = 53 flags S keep state keep frags
pass out quick on fxp0 proto udp from any to any port = 53 keep state keep frags

# [http to outside world]
pass out quick on fxp0 proto tcp from any to any port = 80 flags S keep state keep frags

# [pop3, imap, imaps to outside world]
pass out quick on fxp0 proto tcp from any to any port = 110 flags S keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 143 flags S keep state keep frags
pass out quick on fxp0 proto tcp from any to any port = 993 flags S keep state keep frags

# [https to outside world]
pass out quick on fxp0 proto tcp from any to any port = 443 flags S keep state keep frags

# [passive ftp to outside world step 2 where the FTP server decides which port for ftp data back]
pass out quick on fxp0 proto tcp from any to any port > 1023 flags S keep state keep frags

# [traceroute to outside world 1st stage: probing...man traceroute(8)]
pass out quick on fxp0 proto udp from any to any port 33434 >< 33525 keep state keep frags

# [ping to outside world]
pass out quick on fxp0 proto icmp from any to any keep state keep frags

# [traceroute to internal host 2nd stage: receiving error code of icmp-type 3
# (destination unreachable) and icmp-type 11 (time exceeded)]

pass in quick on fxp0 proto icmp from any to any icmp-type 3 keep state keep frags
pass in quick on fxp0 proto icmp from any to any icmp-type 11 keep state keep frags

To Unsubscribe: send mail to majordomo.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message
Received on Wed 15 Oct 2003 - 18:55:06 CEST