IPFW / Dummynet problem

2008-03-15 Thread Jay L. T. Cornwall 
Hi,

My FreeBSD machine is configured as a bridge between two networks:

|-||-|
| LAN | --- vr0 --bridge0-- vr1 -- | WAN |
|-||-|

The following firewall ruleset works fine:

add 00600 allow all from any to any via vr0 keep-state
add 00610 allow tcp from any to any 22 in via vr1 setup keep-state
add 00611 allow tcp from any to any 23 in via vr1 setup keep-state
add 00612 allow tcp from any to any 113 in via vr1 setup keep-state
add 00613 allow icmp from any to any icmptypes 11
add 00620 check-state
add 00630 deny all from any to any via vr1
add 00640 allow all from 192.168.1.30 to any
add 00641 allow all from any to 192.168.1.30

I then add the following dummynet rules before these. The LAN continues
to work (queueing is only applied to the vr1 WAN interface), the WAN
continues to work from the bridge machine itself (192.168.1.30) but
outbound HTTP connections from any client on the LAN fail.

pipe 1 config bw 2Mbit/s queue 1
pipe 2 config bw 256Kbit/s queue 1
queue 1 config weight 10 pipe 1 queue 20 mask dst-ip 0x
queue 2 config weight 10 pipe 2 queue 20 mask src-ip 0x
queue 3 config weight 2 pipe 1 queue 100 mask dst-ip 0x
queue 4 config weight 2 pipe 2 queue 10 mask src-ip 0x
queue 5 config weight 1 pipe 1 queue 100 mask dst-ip 0x
queue 6 config weight 1 pipe 2 queue 10 mask src-ip 0x
add 00500 queue 1 tcp from any to any in via vr1 tcpflags ack iplen 0-52
add 00501 queue 2 tcp from any to any out via vr1 tcpflags ack iplen 0-52
add 00510 queue 3 udp from any to any in via vr1
add 00511 queue 4 udp from any to any out via vr1
add 00512 queue 3 tcp from any to any 22 in via vr1
add 00513 queue 4 tcp from any to any 22 out via vr1
add 00514 queue 3 tcp from any to any 993 in via vr1
add 00515 queue 4 tcp from any to any 993 out via vr1
add 00520 queue 5 all from any to any in via vr1
add 00521 queue 6 all from any to any out via vr1

I don't understand how queueing rules could affect the passing of any
packet, except in delay? They do seem to match the queueing rules, e.g.
rules 00520 and 00521 accumulate packets as connection attempts are
made. Outbound packets even seem to pass to the WAN, so I can only
assume it is an inbound/stateful problem?

00100  52   4548 allow ip from any to any via lo0
00200   0  0 deny ip from any to 127.0.0.0/8
00300   0  0 deny ip from 127.0.0.0/8 to any
00500  30   1420 queue 1 tcp from any to any in via vr1 tcpflags ack
iplen 0-52
00501   9390 queue 2 tcp from any to any out via vr1 tcpflags ack
iplen 0-52
00510   2152 queue 3 udp from any to any in via vr1
00511   7528 queue 4 udp from any to any out via vr1
00512   0  0 queue 3 tcp from any to any dst-port 22 in via vr1
00513   0  0 queue 4 tcp from any to any dst-port 22 out via vr1
00514   0  0 queue 3 tcp from any to any dst-port 993 in via vr1
00515  18   1228 queue 4 tcp from any to any dst-port 993 out via vr1
00520  26   1988 queue 5 ip from any to any in via vr1
00521  17964 queue 6 ip from any to any out via vr1
00600 163  10082 allow ip from any to any via vr0 keep-state
00610   0  0 allow tcp from any to any dst-port 22 in via vr1 setup
keep-state
00611   0  0 allow tcp from any to any dst-port 23 in via vr1 setup
keep-state
00612   0  0 allow tcp from any to any dst-port 113 in via vr1 setup
keep-state
00613   0  0 allow icmp from any to any icmptypes 11
00620   0  0 check-state
00630   0  0 deny ip from any to any via vr1
00640 405 102681 allow ip from 192.168.1.30 to any
00641 647  48255 allow ip from any to 192.168.1.30
65535  18   3086 deny ip from any to any

Thanks for any light you can shed on this.

-- 
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Read-only, diskless boot

2008-03-09 Thread Jay L. T. Cornwall 
Hi,

I am trying to install FreeBSD onto a CompactFlash card for an ALIX
system. This guide precisely documents my goals:

http://www.freebsd.org/doc/en_US.ISO8859-1/articles/solid-state/ro-fs.html

Unfortunately, it has not been updated for FreeBSD 7. Crucial files such
as /etc/rc.diskless2 have been replaced by a new mechanism in
/etc/rc.initdiskless. The little documentation I have scraped from the
web is too focused on PXE boots with NFS-mounted directories for me to
figure the new system out.

All I need is:
  * / partition to work in read-only mode.
  * Volatile directories such as /root, /var and /tmp to be populated
into a memory filesystem on boot.

The /conf system seems to be related to this, however
/etc/rc.initdiskless specifically says that it is not the correct
mechanism to use for /var. (Quite what is, I've no idea.)

Can someone give me a leg up?

-- 
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Read-only, diskless boot

2008-03-09 Thread Jay L. T. Cornwall 

Jay L. T. Cornwall wrote:


All I need is:
  * / partition to work in read-only mode.
  * Volatile directories such as /root, /var and /tmp to be populated
into a memory filesystem on boot.


OK, this turned out to be easier after I spent some time reading through 
the /etc/rc.initdiskless script.


All that was needed was to create:
  /conf/base/root
  /conf/base/tmp
  /conf/base/var

And fill them with the files to be populated in a memory filesystem on 
reboot. A md_size file inside each dir tweaks the size of the memory 
disks according to the script.


Then touch /etc/diskless and the magic happens!

--
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]