FreeBSD Bugzilla – Attachment 81408 Details for
Bug 116588
No IPFW tables or dummynet in Handbook
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
firewalls_chapter.diff
firewalls_chapter.diff (text/plain), 9.86 KB, created by
Sevan Janiyan
on 2014-05-26 06:11:45 UTC
(
hide
)
Description:
firewalls_chapter.diff
Filename:
MIME Type:
Creator:
Sevan Janiyan
Created:
2014-05-26 06:11:45 UTC
Size:
9.86 KB
patch
obsolete
>Index: en_US.ISO8859-1/books/handbook/firewalls/chapter.xml >=================================================================== >--- en_US.ISO8859-1/books/handbook/firewalls/chapter.xml (revision 44952) >+++ en_US.ISO8859-1/books/handbook/firewalls/chapter.xml (working copy) >@@ -398,7 +398,7 @@ > > <!-- > This is no longer true as of 9.x. It also references the CARP section >-which doesn't explain how to use it...At some point it should. >+which does not explain how to use it...At some point it should. > <indexterm> > <primary>kernel options</primary> > <secondary>device pf</secondary> >@@ -447,18 +447,17 @@ > </note> > --> > >- <para>By default, <application>PF</application> reads its >- configuration rules from <filename>/etc/pf.conf</filename> and >- modifies, drops, or passes packets according to the rules or >- definitions specified in this file. The &os; installation >- includes several sample files located in >- <filename>/usr/share/examples/pf/</filename>. Refer to the >- <link xlink:href="http://www.openbsd.org/faq/pf/">PF >- FAQ</link> for complete coverage >- of <application>PF</application> rulesets.</para> >+<para>By default, <application>PF</application> reads its >+ configuration rules from <filename>/etc/pf.conf</filename> and >+ modifies, drops, or passes packets according to the rules or >+ definitions specified in this file. The &os; installation includes >+ several sample files located in >+ <filename>/usr/share/examples/pf/</filename>. Refer to the <link >+ xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> for >+ complete coverage of <application>PF</application> rulesets.</para> > >- <para>To control <application>PF</application>, use >- <command>pfctl</command>. <xref linkend="pfctl"/> summarizes >+<para>To control <application>PF</application>, use >+ <command>pfctl</command>. <xref linkend="pfctl"/> summarizes > some useful options to this command. Refer to &man.pfctl.8; > for a description of all available options:</para> > >@@ -1702,8 +1701,9 @@ > firewall rules.</para> > </listitem> > <listitem> >- <para><filename><replaceable>filename</replaceable></filename>: full path of the file >- containing the firewall ruleset.</para> >+ <para><filename><replaceable>filename</replaceable></filename>: >+ full path of the file containing the firewall >+ ruleset.</para> > </listitem> > </itemizedlist> > >@@ -2312,7 +2312,7 @@ > <para>On the inbound side, the ruleset has to deny bad packets > and allow only authorized services. A packet which matches an > inbound rule is posted to the dynamic state table and the >- packet is released to the <acronym>LAN</acronym>. The packet >+ packet is released to the <acronym>LAN</acronym>. The packet > generated as a response is recognized by the > <literal>check-state</literal> rule as belonging to an > existing session. It is then sent to rule >@@ -2614,12 +2614,192 @@ > &prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen> > </sect3> > </sect2> >- </sect1> > >- <sect1 xml:id="firewalls-ipf"> >- <title>IPFILTER (IPF)</title> >+ <sect2 xml:id="firewalls-ipfw-dummynet"> >+ <title>Using Dummynet</title> > >- <indexterm> >+ <para>&man.dummynet.4; is a traffic shaper, bandwidth manager >+ and delay emulator which may be used to simulate different >+ types of physical links. It can also be "misused" >+ as a traffic shaper.</para> >+ >+ <para>&man.dummynet.4; offers two objects. Pipes are an >+ abstraction of a given link, having a certain bandwidth, delay >+ and loss. Queues are an abstraction used to implement >+ weighted fair queuing. In practice, pipes can be used to set >+ hard limits to the bandwidth that a flow can use, wheres >+ queues can be used to determine how different flows share that >+ bandwidth.</para> >+ >+ <para>To ensure that &man.dummynet.4; is loaded at boot time add >+ the following line to >+ <filename>/boot/loader.conf</filename>:</para> >+ >+ <programlisting>dummynet_load="YES"</programlisting> >+ >+ <para>Please note that in order for &man.dummynet.4; to work >+ correctly, it is highly recommended to increase the system >+ clock tick rate. This can be accomplished by adding the >+ following option to kernel configuration files.</para> >+ >+ <programlisting>options HZ=1000</programlisting> >+ >+ <para>Use the following command to configure a pipe which has >+ 4Kbps and a 100ms delay:</para> >+ >+ <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s delay 100</userinput></screen> >+ >+ <para>To use this pipe, i.e have some traffic go through it, >+ use the following command:</para> >+ >+ <screen>&prompt.root; <userinput>ipfw -q add pipe 10 all from 10.0.0.0/24 to any</userinput></screen> >+ >+ <para>Please note that to properly limit users, one should >+ create separate pipes for upload and download.</para> >+ >+ <para>Using the above pipe configuration, all LAN users compete >+ for the same bandwidth. If you would like to assign each of >+ them 4Kbps upload and download, you may create dynamic pipes >+ based on the source IP (for uplink) or destination IP (for >+ downlink):</para> >+ >+ <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s src-ip 0xffffffff</userinput> >+&prompt.root; <userinput>ipfw pipe 11 config bw 4Kbit/s dst-ip 0xffffffff</userinput> >+&prompt.root; <userinput>ipfw -q add pipe 10 all from any to any recv $if_lan</userinput> >+&prompt.root; <userinput>ipfw -q add pipe 11 all from any to any xmit $if_lan</userinput></screen> >+ </sect2> >+ >+ <sect2 xml:id="firewalls-ipfw-tables"> >+ <title>Using Tables</title> >+ >+ <para>Tables are a way of referring to multiple IP addresses >+ using a single identifier. They are useful in the following >+ situations:</para> >+ >+ <itemizedlist> >+ <listitem> >+ <para>you must apply the same rule to a lot of IP >+ addresses (table lookups are fast)</para> >+ </listitem> >+ <listitem> >+ <para>you must apply a lot of rules to some IP addresses >+ (use tables to add / remove IP addresses from a single >+ location in the ruleset)</para> >+ </listitem> >+ </itemizedlist> >+ >+ <para>IP addresses stored in a table may also have an optional >+ 32-bit unsigned value assigned to them. A rule may be written >+ in such a way that it will only match if the IP found in >+ a table has been assigned a specific value.</para> >+ >+ <para>These are the commands used to manipulate tables from the >+ shell:</para> >+ >+ <para>Clear all IP addresses from a table:</para> >+ >+ <screen>&prompt.root; <userinput>ipfw table 10 flush</userinput></screen> >+ >+ <para>Add a single IP address to a table:</para> >+ >+ <screen>&prompt.root; <userinput>ipfw table 10 add 172.27.0.1</userinput></screen> >+ >+ <para>Add a CIDR network to a table:</para> >+ >+ <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24</userinput></screen> >+ >+ <para>Add a CIDR network to a table and also assign a value to >+ it:</para> >+ >+ <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24 100</userinput></screen> >+ >+ <para>List the contents of a table:</para> >+ >+ <screen>&prompt.root; <userinput>ipfw table 10 list</userinput></screen> >+ >+ <para>To use the table in a firewall rule:</para> >+ >+ <screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10)" to any</userinput></screen> >+ >+ <para>Or, to use the table and the value in a firewall >+ rule:</para> >+ >+ <screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10,100)" to any</userinput></screen> >+ >+ <para>The following listing is an example of how one could use >+ tables in a ruleset:</para> >+ >+ <programlisting>#!/bin/sh >+# Flush out the list before we begin. >+ipfw -q -f flush >+ >+# Set rules command prefix >+cmd="ipfw -q add" >+table="ipfw -q table" >+ >+# Create a table with all IPs allowed to connect to SSH >+$table 1 flush # required >+$table 1 add 172.27.0.1 # single IP address >+$table 1 add 192.168.0.0/24 # CIDR network >+ >+# Actual rule which allows SSH >+$cmd allow from "table(1)" to me 22 keep-state >+ >+# Deny everything else >+$cmd deny from any to any</programlisting> >+ >+ <para>Here is another example, in which tables and values are >+ used to group clients into multiple bandwidth limitations >+ depending on their subscription:</para> >+ >+ <programlisting>#!/bin/sh >+# Flush out the list before we begin. >+ipfw -q -f flush >+ >+# Set rules command prefix >+cmd="ipfw -q add" >+table="ipfw -q table" >+pipe="ipfw -q pipe" >+if_net="em0" >+ >+# >+# Pipes >+# >+ >+# Please note that dynamic pipes will be created for each client. >+# In other words, clients DO NOT compete for the bandwidth. >+ >+# First subscription rate. >+$pipe 10 config queue 10 bw 512Kbit/s mask src-ip 0xffffffff # uplink >+$pipe 11 config queue 10 bw 512Kbit/s mask dst-ip 0xffffffff # downlink >+ >+# Second subscription rate. >+$pipe 20 config queue 10 bw 768Kbit/s mask src-ip 0xffffffff # uplink >+$pipe 21 config queue 10 bw 768Kbit/s mask dst-ip 0xffffffff # downlink >+ >+# Create a table with all IPs allowed to have Internet connection. >+# Note that although it is not required, values are the same >+# as the bandwidth which will be given to the client. >+$table 1 flush # required >+$table 1 add 172.27.0.2 512 # 512Kbps client >+$table 1 add 172.27.0.3 768 # 768Kbps client >+$table 1 add 172.27.0.4 512 # 512Kbps client >+ >+# Actual rules which classify the traffic >+$cmd pipe 10 all from "table(1,512)" to any xmit $if_net >+$cmd pipe 11 all from any to "table(1,512)" recv $if_net >+$cmd pipe 20 all from "table(1,768)" to any xmit $if_net >+$cmd pipe 21 all from any to "table(1,768)" recv $if_net >+ >+# Deny everything else >+$cmd deny all from any to any</programlisting> >+ </sect2> >+ </sect1> >+ >+ <sect1 xml:id="firewalls-ipf"> >+ <title>IPFILTER (IPF)</title> >+ >+ <indexterm> > <primary>firewall</primary> > > <secondary><application>IPFILTER</application></secondary>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=81408">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 116588
:
81407
| 81408