View | Details | Raw Unified | Return to bug 116588
Collapse All | Expand All

(-)chapter.sgml (+153 lines)
Lines 3355-3361 Link Here
3355
################ End of IPFW rules file ###############################</programlisting>
3355
################ End of IPFW rules file ###############################</programlisting>
3356
      </sect3>
3356
      </sect3>
3357
    </sect2>
3357
    </sect2>
3358
3359
	<sect2 id="firewalls-ipfw-dummynet">
3360
	  <title>Using Dummy</title>
3361
	  
3362
	  <para>Dummynet is a traffic shaper, bandwidth manager and delay emulator which may
3363
		be used to simulate different types of physical links. It can also be
3364
		&quot;misused&quot;	as a traffic shaper.</para>
3365
		
3366
	  <para>Dummynet offers two objects. Pipes are an abstraction of a given link, having
3367
		a certain bandwidth, delay and loss. Queue are an abstraction used to implement
3368
		weighted fair queuing. In practice, pipes can be used to set hard limits to the
3369
		bandwidth that a flow can use, wheres queues can be used to determine how different
3370
		flows share that bandwidth.</para>
3371
3372
	  <para>Please note that, in order for dummynet to work correctly, it is highly recommended to
3373
		increase the system clock tick. This can be accomplished by adding the following kernel option:</para>
3374
	  <programlisting>options	HZ=1000</programlisting>
3375
		
3376
	  <para>Use the following command to configure a pipe which has 4Kbps
3377
		and a 100ms delay:</para>
3378
      <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s delay 100</userinput></screen>
3379
	  
3380
	  <para>To use this pipe, i.e. have some traffic go through it, use the following command:</para>
3381
      <screen>&prompt.root; <userinput>ipfw -q add pipe 10 all from 10.0.0.0/24 to any</userinput></screen>
3382
	  
3383
	  <para>Please note that to properly limit users, one should create separate pipes for download and upload.
3384
		</para>
3385
	  
3386
	  <para>Using the above pipe configuration, all LAN users compete for the
3387
		same bandwidth. If you would like to assign each of them 4Kbps
3388
		download and upload, you may create dynamic pipes based on the
3389
		source IP (for uplink) or destination IP (for downlink):</para>
3390
      <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s src-ip 0xffffffff</userinput>
3391
&prompt.root; <userinput>ipfw pipe 11 config bw 4Kbit/s dst-ip 0xffffffff</userinput>
3392
&prompt.root; <userinput>ipfw -q add pipe 10 all from any to any recv $if_lan</userinput>
3393
&prompt.root; <userinput>ipfw -q add pipe 11 all from any to any xmit $if_lan</userinput></screen>
3394
		
3395
	</sect2>
3396
	
3397
	<sect2 id="firewalls-ipfw-tables">
3398
	  <title>Using Tables</title>
3399
	  
3400
	  <para>Tables are a way of refering to multiple IP addresses
3401
		using a single identifier. They are useful in the following
3402
		situations:</para>
3403
		
3404
	  <itemizedlist>
3405
		<listitem>
3406
	  <para>you must apply the same rule to a lot of IP addresses
3407
		(table lookups are fast)</para>
3408
		</listitem>
3409
		<listitem>
3410
	  <para>you must apply a lot of rules to some IP addresses
3411
		(use tables to add / remove IP addresses from a single location
3412
		in the ruleset)</para>
3413
		</listitem>
3414
	  </itemizedlist>
3415
	  
3416
	  <para>IP addresses contained in a table may also have an optional 32-bit unsigned value
3417
		assigned to it. A rule may be written in such a way that it will only match if the IP
3418
		found in a table has been assigned a specific value.</para>
3419
		
3420
	  <para>These are the commands used to manipulate tables from the shell:</para>
3421
	  
3422
	  <para>Clear all IPs from a table:</para>
3423
      <screen>&prompt.root; <userinput>ipfw table 10 flush</userinput></screen>
3424
	  
3425
	  <para>Add a single IP address to a table:</para>
3426
      <screen>&prompt.root; <userinput>ipfw table 10 add 172.27.0.1</userinput></screen>
3427
	  
3428
	  <para>Add a CIDR network to a table:</para>
3429
      <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24</userinput></screen>
3430
	  
3431
	  <para>Add a CIDR network to a table and also assign a value to it:</para>
3432
      <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24 100</userinput></screen>	  
3433
	  
3434
	  <para>List the contents of a table:</para>
3435
      <screen>&prompt.root; <userinput>ipfw table 10 list</userinput></screen>
3436
	  
3437
	  <para>To use the table in a firewall rule, type something like this:</para>
3438
      <screen>&prompt.root; <userinput>ipfw -q add allow tcp from &quot;table(10)&quot; to any</userinput></screen>
3439
3440
	  <para>Or, to use the table and the value in a firewall rule, type something like this:</para>
3441
      <screen>&prompt.root; <userinput>ipfw -q add allow tcp from &quot;table(10,100)&quot; to any</userinput></screen>
3442
	  
3443
	  <para>The following listing is an example of how one could use tables in a ruleset:</para>
3444
	  
3445
	  <programlisting>#!/bin/sh
3446
# Flush out the list before we begin.
3447
ipfw -q -f flush
3448
3449
# Set rules command prefix
3450
cmd="ipfw -q add"
3451
table="ipfw -q table"
3452
3453
# Create a table with all IPs allowed to connect to SSH
3454
$table 1 flush					# required
3455
$table 1 add 172.27.0.1			# single IP address
3456
$table 1 add 192.168.0.0/24		# CIDR network
3457
3458
# Actual rule which allows SSH
3459
$cmd allow from "table(1)" to me 22 keep-state
3460
3461
# Deny everything else
3462
$cmd deny from any to any</programlisting>
3463
3464
	  <para>Here is another example, in which tables and values are used
3465
		to group clients into multiple bandwidth limitations
3466
		depending on their subscription:</para>
3467
3468
	  <programlisting>#!/bin/sh
3469
# Flush out the list before we begin.
3470
ipfw -q -f flush
3471
3472
# Set rules command prefix
3473
cmd="ipfw -q add"
3474
table="ipfw -q table"
3475
pipe="ipfw -q pipe"
3476
if_net="em0"
3477
3478
#
3479
# Pipes
3480
#
3481
3482
# Please note that dynamic pipes will be created for each client.
3483
# In other words, clients DO NOT compete for the bandwidth.
3484
3485
# First subscription rate.
3486
$pipe 10 config queue 10 bw 512Kbit/s mask src-ip 0xffffffff	# uplink
3487
$pipe 11 config queue 10 bw 512Kbit/s mask dst-ip 0xffffffff	# downlink
3488
3489
# Second subscription rate.
3490
$pipe 20 config queue 10 bw 768Kbit/s mask src-ip 0xffffffff	# uplink
3491
$pipe 21 config queue 10 bw 768Kbit/s mask dst-ip 0xffffffff	# downlink
3492
3493
# Create a table with all IPs allowed to have Internet connection.
3494
# Note that although it is not required, values are the same
3495
# as the bandwidth which will be given to the client.
3496
$table 1 flush					# required
3497
$table 1 add 172.27.0.2	512		# 512Kbps client
3498
$table 1 add 172.27.0.3 768		# 768Kbps client
3499
$table 1 add 172.27.0.4 512		# 512Kbps client
3500
3501
# Actual rules which classify the traffic
3502
$cmd pipe 10 all from "table(1,512)" to any xmit $if_net
3503
$cmd pipe 11 all from any to "table(1,512)" recv $if_net
3504
$cmd pipe 20 all from "table(1,768)" to any xmit $if_net
3505
$cmd pipe 21 all from any to "table(1,768)" recv $if_net
3506
3507
# Deny everything else
3508
$cmd deny all from any to any</programlisting>
3509
	</sect2>
3358
  </sect1>
3510
  </sect1>
3511
  
3359
</chapter>
3512
</chapter>
3360
3513
3361
<!--
3514
<!--

Return to bug 116588