I'm not sure what but it seems like I'm doing something wrong… my objective is to be able to limit some of my traffic, to be exact www traffic. One of my clients os running what's called a webproxy, where an end-user can surf any webpages through their site, if anyone interested take a look at:
So here is my /etc/ipfw.rules
file followed by ipfw show
and ipfw pipe show
:
flush pipe flush pipe 1 config bw 1Mbit/s mask src-port www pipe 2 config bw 1Mbit/s mask src-port www add 100 allow ip from any to any via lo0 add 200 deny ip from any to 127.0.0.0/8 add 300 deny ip from 127.0.0.0/8 to any add 8381 pipe 1 tcp from any to any dst-port www uid daemon add 8382 pipe 2 tcp from any to any src-port www uid daemon add 8025 allow tcp from any to any dst-port smtp add 8110 allow tcp from any to any dst-port pop3 add 8143 allow tcp from any to any dst-port imap add 8993 allow tcp from any to any dst-port imaps add 8995 allow tcp from any to any dst-port pop3s add 65000 pass all from any to any su-3.2# ipfw show 00100 85839853 23452504269 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 08025 8835622 3440233341 allow tcp from any to any dst-port 25 08110 748762 44303607 allow tcp from any to any dst-port 110 08143 443916 26822178 allow tcp from any to any dst-port 143 08381 139901701 10870804903 pipe 1 tcp from any to any dst-port 80 uid daemon 08382 181159216 209004032651 pipe 2 tcp from any 80 to any uid daemon 08993 2621221 332143828 allow tcp from any to any dst-port 993 08995 880748 87973919 allow tcp from any to any dst-port 995 65000 323132905 187469722830 allow ip from any to any 65535 0 0 deny ip from any to any su-3.2# ipfw pipe show 00001: 1.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 64.237.55.83/49910 66.218.161.133/80 139909114 10871439505 0 0 50 00002: 1.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 66.218.161.133/80 64.237.55.83/49910 181159216 209004032651 0 0 21025730 su-3.2#
According to mrtg
I'm doing way over the 1Mbit/s that I set in my ipfw
. I'll be more than happy to provide whatever additional information is needed to solve this issue, but for starters:
su-3.2# uname -a FreeBSD x.xxx.xxx 7.3-RELEASE FreeBSD 7.3-RELEASE #13: Tue Mar 23 20:47:52 UTC 2010 xxx@x.xxx.xxx:/usr/obj/usr/src/sys/GENERIC amd64 su-3.2#
Best Answer
First, please check if
net.inet.ip.fw.one_pass
is set.Second, I don't think you need that mask parameter on you pipe configuration. You can't always be sure that packages come from port 80 e.g. if a user communicates from behind a NAT, etc.
Third, I would try it without rules 200 and 300. I'm not quite sure how it's handling piping internally, but the Traffic Shaping Section of
ipfw(8)
has these tips enlisted:And fourth, I would change the default rule (= the last rule 65000) to deny all. It's good firewall design and without it, all these other allow rules are just wasted ;)