The following reply was made to PR docs/116588; it has been noted by GNATS.
From: venture37 <[email protected]> To: [email protected], [email protected] Cc: Subject: Re: docs/116588: No IPFW tables or dummynet in Handbook Date: Mon, 26 May 2014 06:11:45 +0100 This is a multi-part message in MIME format. --------------080201090104010609090803 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Attached is an updated diff which adds instructions for dummynet & utilising tables alongside adjustments highlighted by igor. One issue which I was unable to fix was 450:bad tag indent: <para>By default, <application>PF</application> reads its --------------080201090104010609090803 Content-Type: text/plain; charset=UTF-8; name="ipfw.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ipfw.txt" Index: en_US.ISO8859-1/books/handbook/firewalls/chapter.xml =================================================================== --- en_US.ISO8859-1/books/handbook/firewalls/chapter.xml (revision 44952) +++ en_US.ISO8859-1/books/handbook/firewalls/chapter.xml (working copy) @@ -398,7 +398,7 @@ <!-- This is no longer true as of 9.x. It also references the CARP section -which doesn't explain how to use it...At some point it should. +which does not explain how to use it...At some point it should. <indexterm> <primary>kernel options</primary> <secondary>device pf</secondary> @@ -447,18 +447,17 @@ </note> --> - <para>By default, <application>PF</application> reads its - configuration rules from <filename>/etc/pf.conf</filename> and - modifies, drops, or passes packets according to the rules or - definitions specified in this file. The &os; installation - includes several sample files located in - <filename>/usr/share/examples/pf/</filename>. Refer to the - <link xlink:href="http://www.openbsd.org/faq/pf/";>PF - FAQ</link> for complete coverage - of <application>PF</application> rulesets.</para> +<para>By default, <application>PF</application> reads its + configuration rules from <filename>/etc/pf.conf</filename> and + modifies, drops, or passes packets according to the rules or + definitions specified in this file. The &os; installation includes + several sample files located in + <filename>/usr/share/examples/pf/</filename>. Refer to the <link + xlink:href="http://www.openbsd.org/faq/pf/";>PF FAQ</link> for + complete coverage of <application>PF</application> rulesets.</para> - <para>To control <application>PF</application>, use - <command>pfctl</command>. <xref linkend="pfctl"/> summarizes +<para>To control <application>PF</application>, use + <command>pfctl</command>. <xref linkend="pfctl"/> summarizes some useful options to this command. Refer to &man.pfctl.8; for a description of all available options:</para> @@ -1702,8 +1701,9 @@ firewall rules.</para> </listitem> <listitem> - <para><filename><replaceable>filename</replaceable></filename>: full path of the file - containing the firewall ruleset.</para> + <para><filename><replaceable>filename</replaceable></filename>: + full path of the file containing the firewall + ruleset.</para> </listitem> </itemizedlist> @@ -2312,7 +2312,7 @@ <para>On the inbound side, the ruleset has to deny bad packets and allow only authorized services. A packet which matches an inbound rule is posted to the dynamic state table and the - packet is released to the <acronym>LAN</acronym>. The packet + packet is released to the <acronym>LAN</acronym>. The packet generated as a response is recognized by the <literal>check-state</literal> rule as belonging to an existing session. It is then sent to rule @@ -2614,12 +2614,192 @@ &prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen> </sect3> </sect2> - </sect1> - <sect1 xml:id="firewalls-ipf"> - <title>IPFILTER (IPF)</title> + <sect2 xml:id="firewalls-ipfw-dummynet"> + <title>Using Dummynet</title> - <indexterm> + <para>&man.dummynet.4; is a traffic shaper, bandwidth manager + and delay emulator which may be used to simulate different + types of physical links. It can also be "misused" + as a traffic shaper.</para> + + <para>&man.dummynet.4; offers two objects. Pipes are an + abstraction of a given link, having a certain bandwidth, delay + and loss. Queues are an abstraction used to implement + weighted fair queuing. In practice, pipes can be used to set + hard limits to the bandwidth that a flow can use, wheres + queues can be used to determine how different flows share that + bandwidth.</para> + + <para>To ensure that &man.dummynet.4; is loaded at boot time add + the following line to + <filename>/boot/loader.conf</filename>:</para> + + <programlisting>dummynet_load="YES"</programlisting> + + <para>Please note that in order for &man.dummynet.4; to work + correctly, it is highly recommended to increase the system + clock tick rate. This can be accomplished by adding the + following option to kernel configuration files.</para> + + <programlisting>options HZ=1000</programlisting> + + <para>Use the following command to configure a pipe which has + 4Kbps and a 100ms delay:</para> + + <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s delay 100</userinput></screen> + + <para>To use this pipe, i.e have some traffic go through it, + use the following command:</para> + + <screen>&prompt.root; <userinput>ipfw -q add pipe 10 all from 10.0.0.0/24 to any</userinput></screen> + + <para>Please note that to properly limit users, one should + create separate pipes for upload and download.</para> + + <para>Using the above pipe configuration, all LAN users compete + for the same bandwidth. If you would like to assign each of + them 4Kbps upload and download, you may create dynamic pipes + based on the source IP (for uplink) or destination IP (for + downlink):</para> + + <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s src-ip 0xffffffff</userinput> +&prompt.root; <userinput>ipfw pipe 11 config bw 4Kbit/s dst-ip 0xffffffff</userinput> +&prompt.root; <userinput>ipfw -q add pipe 10 all from any to any recv $if_lan</userinput> +&prompt.root; <userinput>ipfw -q add pipe 11 all from any to any xmit $if_lan</userinput></screen> + </sect2> + + <sect2 xml:id="firewalls-ipfw-tables"> + <title>Using Tables</title> + + <para>Tables are a way of referring to multiple IP addresses + using a single identifier. They are useful in the following + situations:</para> + + <itemizedlist> + <listitem> + <para>you must apply the same rule to a lot of IP + addresses (table lookups are fast)</para> + </listitem> + <listitem> + <para>you must apply a lot of rules to some IP addresses + (use tables to add / remove IP addresses from a single + location in the ruleset)</para> + </listitem> + </itemizedlist> + + <para>IP addresses stored in a table may also have an optional + 32-bit unsigned value assigned to them. A rule may be written + in such a way that it will only match if the IP found in + a table has been assigned a specific value.</para> + + <para>These are the commands used to manipulate tables from the + shell:</para> + + <para>Clear all IP addresses from a table:</para> + + <screen>&prompt.root; <userinput>ipfw table 10 flush</userinput></screen> + + <para>Add a single IP address to a table:</para> + + <screen>&prompt.root; <userinput>ipfw table 10 add 172.27.0.1</userinput></screen> + + <para>Add a CIDR network to a table:</para> + + <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24</userinput></screen> + + <para>Add a CIDR network to a table and also assign a value to + it:</para> + + <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24 100</userinput></screen> + + <para>List the contents of a table:</para> + + <screen>&prompt.root; <userinput>ipfw table 10 list</userinput></screen> + + <para>To use the table in a firewall rule:</para> + + <screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10)" to any</userinput></screen> + + <para>Or, to use the table and the value in a firewall + rule:</para> + + <screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10,100)" to any</userinput></screen> + + <para>The following listing is an example of how one could use + tables in a ruleset:</para> + + <programlisting>#!/bin/sh +# Flush out the list before we begin. +ipfw -q -f flush + +# Set rules command prefix +cmd="ipfw -q add" +table="ipfw -q table" + +# Create a table with all IPs allowed to connect to SSH +$table 1 flush # required +$table 1 add 172.27.0.1 # single IP address +$table 1 add 192.168.0.0/24 # CIDR network + +# Actual rule which allows SSH +$cmd allow from "table(1)" to me 22 keep-state + +# Deny everything else +$cmd deny from any to any</programlisting> + + <para>Here is another example, in which tables and values are + used to group clients into multiple bandwidth limitations + depending on their subscription:</para> + + <programlisting>#!/bin/sh +# Flush out the list before we begin. +ipfw -q -f flush + +# Set rules command prefix +cmd="ipfw -q add" +table="ipfw -q table" +pipe="ipfw -q pipe" +if_net="em0" + +# +# Pipes +# + +# Please note that dynamic pipes will be created for each client. +# In other words, clients DO NOT compete for the bandwidth. + +# First subscription rate. +$pipe 10 config queue 10 bw 512Kbit/s mask src-ip 0xffffffff # uplink +$pipe 11 config queue 10 bw 512Kbit/s mask dst-ip 0xffffffff # downlink + +# Second subscription rate. +$pipe 20 config queue 10 bw 768Kbit/s mask src-ip 0xffffffff # uplink +$pipe 21 config queue 10 bw 768Kbit/s mask dst-ip 0xffffffff # downlink + +# Create a table with all IPs allowed to have Internet connection. +# Note that although it is not required, values are the same +# as the bandwidth which will be given to the client. +$table 1 flush # required +$table 1 add 172.27.0.2 512 # 512Kbps client +$table 1 add 172.27.0.3 768 # 768Kbps client +$table 1 add 172.27.0.4 512 # 512Kbps client + +# Actual rules which classify the traffic +$cmd pipe 10 all from "table(1,512)" to any xmit $if_net +$cmd pipe 11 all from any to "table(1,512)" recv $if_net +$cmd pipe 20 all from "table(1,768)" to any xmit $if_net +$cmd pipe 21 all from any to "table(1,768)" recv $if_net + +# Deny everything else +$cmd deny all from any to any</programlisting> + </sect2> + </sect1> + + <sect1 xml:id="firewalls-ipf"> + <title>IPFILTER (IPF)</title> + + <indexterm> <primary>firewall</primary> <secondary><application>IPFILTER</application></secondary> --------------080201090104010609090803-- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-doc To unsubscribe, send any mail to "[email protected]"
