Freebsd – ipfw : Traffic Shaping

firewallfreebsd

I'm not sure what but it seems like I'm doing something wrong… my objective is to be able to limit some of my traffic, to be exact www traffic. One of my clients os running what's called a webproxy, where an end-user can surf any webpages through their site, if anyone interested take a look at:

http://www.thespacesurf.com/

So here is my /etc/ipfw.rules file followed by ipfw show and ipfw pipe show:

flush
pipe flush
pipe 1 config bw 1Mbit/s mask src-port www
pipe 2 config bw 1Mbit/s mask src-port www
add 100 allow ip from any to any via lo0
add 200 deny ip from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any
add 8381 pipe 1 tcp from any to any dst-port www uid daemon
add 8382 pipe 2 tcp from any to any src-port www uid daemon
add 8025 allow tcp from any to any dst-port smtp
add 8110 allow tcp from any to any dst-port pop3
add 8143 allow tcp from any to any dst-port imap
add 8993 allow tcp from any to any dst-port imaps
add 8995 allow tcp from any to any dst-port pop3s
add 65000 pass all from any to any

su-3.2# ipfw show
00100  85839853  23452504269 allow ip from any to any via lo0
00200         0            0 deny ip from any to 127.0.0.0/8
00300         0            0 deny ip from 127.0.0.0/8 to any
08025   8835622   3440233341 allow tcp from any to any dst-port 25
08110    748762     44303607 allow tcp from any to any dst-port 110
08143    443916     26822178 allow tcp from any to any dst-port 143
08381 139901701  10870804903 pipe 1 tcp from any to any dst-port 80 uid daemon
08382 181159216 209004032651 pipe 2 tcp from any 80 to any uid daemon
08993   2621221    332143828 allow tcp from any to any dst-port 993
08995    880748     87973919 allow tcp from any to any dst-port 995
65000 323132905 187469722830 allow ip from any to any
65535         0            0 deny ip from any to any
su-3.2# ipfw pipe show
00001:   1.000 Mbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 tcp     64.237.55.83/49910  66.218.161.133/80    139909114 10871439505  0    0  50
00002:   1.000 Mbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 tcp   66.218.161.133/80       64.237.55.83/49910 181159216 209004032651  0    0 21025730
su-3.2#

According to mrtg I'm doing way over the 1Mbit/s that I set in my ipfw. I'll be more than happy to provide whatever additional information is needed to solve this issue, but for starters: 

su-3.2# uname -a
FreeBSD x.xxx.xxx 7.3-RELEASE FreeBSD 7.3-RELEASE #13: Tue Mar 23 20:47:52 UTC 2010     xxx@x.xxx.xxx:/usr/obj/usr/src/sys/GENERIC  amd64
su-3.2#

Best Answer

First, please check if net.inet.ip.fw.one_pass is set.

Second, I don't think you need that mask parameter on you pipe configuration. You can't always be sure that packages come from port 80 e.g. if a user communicates from behind a NAT, etc.

Third, I would try it without rules 200 and 300. I'm not quite sure how it's handling piping internally, but the Traffic Shaping Section of ipfw(8) has these tips enlisted:

CHECKLIST Here are some important points to consider when designing your rules:

+o     Remember that you filter both packets going in and out.  Most connec-

tions need packets going in both directions.

+o     Remember to test very carefully.  It is a good idea to be near the

console when doing this. If you cannot be near the console, use an auto-recovery script such as the one in /usr/share/examples/ipfw/change_rules.sh.

+o     **Do not forget the loopback interface.**

And fourth, I would change the default rule (= the last rule 65000) to deny all. It's good firewall design and without it, all these other allow rules are just wasted ;)

Related Question