On 9/03/2016 9:32 AM, Don Lewis wrote:
I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this
patch: <http://caia.swin.edu.au/freebsd/aqm/downloads.html>, but I'm
running into a problem that I think is caused by an interaction between
in-kernel NAT and dummynet. I've set up two dummynet pipe/sched/queue
instances using example 3.3a from this document
<http://caia.swin.edu.au/freebsd/aqm/patches/README-0.1.txt> with the
appropriate bandwidths, but otherwise default tunings to shape both
inbound and outbound traffic. My inside network is a /24 and I have an
external /29 (ext/29) network that I don't want to rate limit. My
outside network interface is re0. I'm using the /etc/rc.firewall
"simple" firewall configuration.
The problem that I'm having crops up when I actually try to add the
firewall rules to select the traffic that I want to rate limit. The
first rule in the list is:
100 allow ip from any to any via lo0
The second rule is numbered 200 and is first anti-spoofing rule. If
I add *either* of these two rules, then I'm no longer able to
communicate between hosts on my internal network and the rest of the
world:
ipfw 110 add queue 1 ip from not ext/29 to any in recv re0
ipfw 120 add queue 2 ip from any to not ext/29 out xmit re0
It seems like the inbound rule should be early in the rule list so that
any inbound traffic that gets dropped by the firewall rules gets counted
even if it is dropped by later rules. It also seems like the outbound
rule needs to be before any allow rules since an allow rule would skip
the remaining rules and would not count that traffic. Unfortunately the
ipfw documentation doesn't really describe the interaction between
dummynet, NAT, and other firewall rules.
Unfortunately this is a live system, so it is difficult to do controlled
experiments and look at the ipfw counters to see where things might be
going into the weeds ...
ok so you need to do what I always tell people.. split your rules into
separate incoming and outgoing rule sets.
so your first rule should be:
skipto 10000 all from any to any in.
and have separate sets of rules for incoming and outgoing packets.
Then you should always set one_pass to 0 and expect your packets to
come back to the firewall at the next number.
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
