Lines 3355-3361
Link Here
|
3355 |
################ End of IPFW rules file ###############################</programlisting> |
3355 |
################ End of IPFW rules file ###############################</programlisting> |
3356 |
</sect3> |
3356 |
</sect3> |
3357 |
</sect2> |
3357 |
</sect2> |
|
|
3358 |
|
3359 |
<sect2 id="firewalls-ipfw-dummynet"> |
3360 |
<title>Using Dummy</title> |
3361 |
|
3362 |
<para>Dummynet is a traffic shaper, bandwidth manager and delay emulator which may |
3363 |
be used to simulate different types of physical links. It can also be |
3364 |
"misused" as a traffic shaper.</para> |
3365 |
|
3366 |
<para>Dummynet offers two objects. Pipes are an abstraction of a given link, having |
3367 |
a certain bandwidth, delay and loss. Queue are an abstraction used to implement |
3368 |
weighted fair queuing. In practice, pipes can be used to set hard limits to the |
3369 |
bandwidth that a flow can use, wheres queues can be used to determine how different |
3370 |
flows share that bandwidth.</para> |
3371 |
|
3372 |
<para>Please note that, in order for dummynet to work correctly, it is highly recommended to |
3373 |
increase the system clock tick. This can be accomplished by adding the following kernel option:</para> |
3374 |
<programlisting>options HZ=1000</programlisting> |
3375 |
|
3376 |
<para>Use the following command to configure a pipe which has 4Kbps |
3377 |
and a 100ms delay:</para> |
3378 |
<screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s delay 100</userinput></screen> |
3379 |
|
3380 |
<para>To use this pipe, i.e. have some traffic go through it, use the following command:</para> |
3381 |
<screen>&prompt.root; <userinput>ipfw -q add pipe 10 all from 10.0.0.0/24 to any</userinput></screen> |
3382 |
|
3383 |
<para>Please note that to properly limit users, one should create separate pipes for download and upload. |
3384 |
</para> |
3385 |
|
3386 |
<para>Using the above pipe configuration, all LAN users compete for the |
3387 |
same bandwidth. If you would like to assign each of them 4Kbps |
3388 |
download and upload, you may create dynamic pipes based on the |
3389 |
source IP (for uplink) or destination IP (for downlink):</para> |
3390 |
<screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s src-ip 0xffffffff</userinput> |
3391 |
&prompt.root; <userinput>ipfw pipe 11 config bw 4Kbit/s dst-ip 0xffffffff</userinput> |
3392 |
&prompt.root; <userinput>ipfw -q add pipe 10 all from any to any recv $if_lan</userinput> |
3393 |
&prompt.root; <userinput>ipfw -q add pipe 11 all from any to any xmit $if_lan</userinput></screen> |
3394 |
|
3395 |
</sect2> |
3396 |
|
3397 |
<sect2 id="firewalls-ipfw-tables"> |
3398 |
<title>Using Tables</title> |
3399 |
|
3400 |
<para>Tables are a way of refering to multiple IP addresses |
3401 |
using a single identifier. They are useful in the following |
3402 |
situations:</para> |
3403 |
|
3404 |
<itemizedlist> |
3405 |
<listitem> |
3406 |
<para>you must apply the same rule to a lot of IP addresses |
3407 |
(table lookups are fast)</para> |
3408 |
</listitem> |
3409 |
<listitem> |
3410 |
<para>you must apply a lot of rules to some IP addresses |
3411 |
(use tables to add / remove IP addresses from a single location |
3412 |
in the ruleset)</para> |
3413 |
</listitem> |
3414 |
</itemizedlist> |
3415 |
|
3416 |
<para>IP addresses contained in a table may also have an optional 32-bit unsigned value |
3417 |
assigned to it. A rule may be written in such a way that it will only match if the IP |
3418 |
found in a table has been assigned a specific value.</para> |
3419 |
|
3420 |
<para>These are the commands used to manipulate tables from the shell:</para> |
3421 |
|
3422 |
<para>Clear all IPs from a table:</para> |
3423 |
<screen>&prompt.root; <userinput>ipfw table 10 flush</userinput></screen> |
3424 |
|
3425 |
<para>Add a single IP address to a table:</para> |
3426 |
<screen>&prompt.root; <userinput>ipfw table 10 add 172.27.0.1</userinput></screen> |
3427 |
|
3428 |
<para>Add a CIDR network to a table:</para> |
3429 |
<screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24</userinput></screen> |
3430 |
|
3431 |
<para>Add a CIDR network to a table and also assign a value to it:</para> |
3432 |
<screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24 100</userinput></screen> |
3433 |
|
3434 |
<para>List the contents of a table:</para> |
3435 |
<screen>&prompt.root; <userinput>ipfw table 10 list</userinput></screen> |
3436 |
|
3437 |
<para>To use the table in a firewall rule, type something like this:</para> |
3438 |
<screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10)" to any</userinput></screen> |
3439 |
|
3440 |
<para>Or, to use the table and the value in a firewall rule, type something like this:</para> |
3441 |
<screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10,100)" to any</userinput></screen> |
3442 |
|
3443 |
<para>The following listing is an example of how one could use tables in a ruleset:</para> |
3444 |
|
3445 |
<programlisting>#!/bin/sh |
3446 |
# Flush out the list before we begin. |
3447 |
ipfw -q -f flush |
3448 |
|
3449 |
# Set rules command prefix |
3450 |
cmd="ipfw -q add" |
3451 |
table="ipfw -q table" |
3452 |
|
3453 |
# Create a table with all IPs allowed to connect to SSH |
3454 |
$table 1 flush # required |
3455 |
$table 1 add 172.27.0.1 # single IP address |
3456 |
$table 1 add 192.168.0.0/24 # CIDR network |
3457 |
|
3458 |
# Actual rule which allows SSH |
3459 |
$cmd allow from "table(1)" to me 22 keep-state |
3460 |
|
3461 |
# Deny everything else |
3462 |
$cmd deny from any to any</programlisting> |
3463 |
|
3464 |
<para>Here is another example, in which tables and values are used |
3465 |
to group clients into multiple bandwidth limitations |
3466 |
depending on their subscription:</para> |
3467 |
|
3468 |
<programlisting>#!/bin/sh |
3469 |
# Flush out the list before we begin. |
3470 |
ipfw -q -f flush |
3471 |
|
3472 |
# Set rules command prefix |
3473 |
cmd="ipfw -q add" |
3474 |
table="ipfw -q table" |
3475 |
pipe="ipfw -q pipe" |
3476 |
if_net="em0" |
3477 |
|
3478 |
# |
3479 |
# Pipes |
3480 |
# |
3481 |
|
3482 |
# Please note that dynamic pipes will be created for each client. |
3483 |
# In other words, clients DO NOT compete for the bandwidth. |
3484 |
|
3485 |
# First subscription rate. |
3486 |
$pipe 10 config queue 10 bw 512Kbit/s mask src-ip 0xffffffff # uplink |
3487 |
$pipe 11 config queue 10 bw 512Kbit/s mask dst-ip 0xffffffff # downlink |
3488 |
|
3489 |
# Second subscription rate. |
3490 |
$pipe 20 config queue 10 bw 768Kbit/s mask src-ip 0xffffffff # uplink |
3491 |
$pipe 21 config queue 10 bw 768Kbit/s mask dst-ip 0xffffffff # downlink |
3492 |
|
3493 |
# Create a table with all IPs allowed to have Internet connection. |
3494 |
# Note that although it is not required, values are the same |
3495 |
# as the bandwidth which will be given to the client. |
3496 |
$table 1 flush # required |
3497 |
$table 1 add 172.27.0.2 512 # 512Kbps client |
3498 |
$table 1 add 172.27.0.3 768 # 768Kbps client |
3499 |
$table 1 add 172.27.0.4 512 # 512Kbps client |
3500 |
|
3501 |
# Actual rules which classify the traffic |
3502 |
$cmd pipe 10 all from "table(1,512)" to any xmit $if_net |
3503 |
$cmd pipe 11 all from any to "table(1,512)" recv $if_net |
3504 |
$cmd pipe 20 all from "table(1,768)" to any xmit $if_net |
3505 |
$cmd pipe 21 all from any to "table(1,768)" recv $if_net |
3506 |
|
3507 |
# Deny everything else |
3508 |
$cmd deny all from any to any</programlisting> |
3509 |
</sect2> |
3358 |
</sect1> |
3510 |
</sect1> |
|
|
3511 |
|
3359 |
</chapter> |
3512 |
</chapter> |
3360 |
|
3513 |
|
3361 |
<!-- |
3514 |
<!-- |