Re: best sollution (and also simple) to guarantee a bandwidth (Was: Welcome to the "freebsd-isp" mailing list)
From: Carlos Alloatti (calloatti_at_gmail.com)
Date: 05/24/05
- Previous message: Thomas Trede: "Re: Best OSPF solution on FreeBSD?"
- Maybe in reply to: Carlos Alloatti: "best sollution (and also simple) to guarantee a bandwidth (Was: Welcome to the "freebsd-isp" mailing list)"
- Next in thread: Timofey V. Chernousov: "Re: best sollution (and also simple) to guarantee a bandwidth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 23 May 2005 19:15:54 -0300 To: "ovidiue@unixware.ro" <ovidiue@unixware.ro>
On 5/23/05, ovidiue@unixware.ro <ovidiue@unixware.ro> wrote:
> Citat Carlos Alloatti <calloatti@gmail.com>:
>
> > I have just done that, I set up FreeBSD with 2 network cards, bridge,
> > ipfw and dummynet. It works without a glitch, has been up for 20 days.
> >
> > Yo have to set up pipes and queues in ipfw rules
> >
>
> How many users you have ? can you send me the config files?
>
rl0 connects to Internet, rl1 connects to LAN
/etc/rc.conf
hostname="bridge.local"
network_interfaces="rl0 rl1 lo0"
ifconfig_rl1="inet xxx.xxx.xxx.xxx netmask 255.255.255.0"
defaultrouter="xxx.xxx.xxx.1"
#required for ipfw support
firewall_enable="YES"
firewall_type="/etc/rc.firewall.rules"
firewall_quiet="NO"
firewall_logging="YES"
/etc/resolv.conf
domain local
nameserver xxx.xxx.xxx.xxx
nameserver yyy.yyy.yyy.yyy
/etc/hosts
127.0.0.1 localhost.local localhost
xxx.xxx.xxx.xxx bridge.local bridge
/etc/sysctl.conf
net.link.ether.bridge.config=rl0:1,rl1:1
net.link.ether.bridge.enable=1
# Controls whether bridged packets are passed to ipfw
net.link.ether.bridge.ipfw=1
# Delta between rule numbers when auto-generating them
net.inet.ip.fw.autoinc_step=10
# Bridged packets are accepted after the first pass through the firewall
# irrespective of the setting of the sysctl variable
net.inet.ip.fw.one_pass=1
# Lazily delete dynamic pipes/queue once they have no pending traffic
net.inet.ip.dummynet.expire=1
kern.polling.enable=1
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
# The blackhole sysctl(8) MIB is used to control system behaviour when con-
# nection requests are received on TCP or UDP ports where there is no
# socket listening.
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
# /etc/rc.firewall.rules
# UPload pipe
pipe 1 config bw 128Kbits/s queue 10 gred 0.002/5/15/0.10
# DNload pipe
pipe 2 config bw 320Kbits/s queue 15 gred 0.002/5/15/0.10
# 64Kbits pipe
pipe 3 config bw 64Kbits/s queue 5 gred 0.002/5/15/0.10
# *** queues ***
# Upload queues pipe 1
queue 01101 config weight 50 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 10 gred 0.002/5/15/0.10
queue 01102 config weight 30 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 10 gred 0.002/5/15/0.10
queue 01103 config weight 15 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
queue 01104 config weight 04 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
queue 01199 config weight 01 buckets 128 pipe 1 mask src-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
# Download queues pipe 2
queue 02201 config weight 40 buckets 128 pipe 2 mask dst-ip 0xffffffff
queue 10 gred 0.002/5/15/0.10
queue 02202 config weight 35 buckets 128 pipe 2 mask dst-ip 0xffffffff
queue 10 gred 0.002/5/15/0.10
queue 02203 config weight 20 buckets 128 pipe 2 mask dst-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
queue 02299 config weight 05 buckets 128 pipe 2 mask dst-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
# 64Kbits queues pipe 3
queue 03101 config weight 10 buckets 128 pipe 3 mask src-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
queue 03201 config weight 90 buckets 128 pipe 3 mask dst-ip 0xffffffff
queue 5 gred 0.002/5/15/0.10
# *** firewall ***
# loopback
add 01000 pass all from any to any via lo0
add 01010 deny all from any to 127.0.0.0/8
add 01020 deny ip from 127.0.0.0/8 to any
# Disabled IP addresses
#add 00011 deny ip from xxx.xxx.xxx.xxx to any
# Deny ip inbound traffic from non-routable reserved address spaces
add 02000 deny ip from 192.168.0.0/16 to any // RFC 1918 private IP
add 02010 deny ip from 172.16.0.0/12 to any // RFC 1918 private IP
add 02020 deny ip from 10.0.0.0/8 to any // RFC 1918 private IP
add 02030 deny ip from 0.0.0.0/8 to any // loopback
add 02040 deny ip from 169.254.0.0/16 to any // DHCP auto-config
add 02050 deny ip from 192.0.2.0/24 to any // reserved for docs
add 02060 deny ip from 204.152.64.0/23 to any // Sun cluster interconnect
add 02070 deny ip from 224.0.0.0/3 to any // Class D & E multicast
add 02200 deny ip from any to 192.168.0.0/16 // RFC 1918 private IP
add 02210 deny ip from any to 172.16.0.0/12 // RFC 1918 private IP
add 02220 deny ip from any to 10.0.0.0/8 // RFC 1918 private IP
add 02230 deny ip from any to 0.0.0.0/8 // loopback
add 02240 deny ip from any to 169.254.0.0/16 // DHCP auto-config
add 02250 deny ip from any to 192.0.2.0/24 // reserved for docs
add 02260 deny ip from any to 204.152.64.0/23 // Sun cluster interconnect
add 02270 deny ip from any to 224.0.0.0/3 // Class D & E multicast
add 03000 deny icmp from any to me icmptypes 8 in via rl0 // deny
pings from outside to bridge
add 03010 deny ip from any to me dst-port 22 in via rl0 // deny SSH
from outside to bridge
add 03020 deny ip from any to me dst-port 113 in via rl0 // deny ident
from outside to bridge
add 03030 deny ip from any to me dst-port 10000 in via rl0 // deny
webmin from outside to bridge
add 03200 deny ip from any to any frag in // Deny any late arriving packets
add 04000 deny ip from any to any dst-port 67 // Bootstrap Protocol
Server (DHCP)
add 04010 deny ip from any to any dst-port 68 // Bootstrap Protocol
Server (DHCP)
add 04020 deny ip from any to any dst-port 42 // Host Name Server
(Wins) MS/Windows
add 04030 deny ip from any to any dst-port 135 // DCOM Service Control
Manager MS/Windows
add 04040 deny ip from any to any dst-port 137 // NetBIOS Name Service
MS/Windows
add 04050 deny ip from any to any dst-port 138 // NetBIOS Datagram
Service MS/Windows
add 04060 deny ip from any to any dst-port 139 // NETBIOS Session
Service MS/Windows
add 04070 deny ip from any to any dst-port 445 // Microsoft Directory
Services MS/Windows
add 04200 deny ip from any to any src-port 67 // Bootstrap Protocol
Server (DHCP)
add 04210 deny ip from any to any src-port 68 // Bootstrap Protocol
Server (DHCP)
add 04220 deny ip from any to any src-port 42 // Host Name Server
(Wins) MS/Windows
add 04230 deny ip from any to any src-port 135 // DCOM Service Control
Manager MS/Windows
add 04240 deny ip from any to any src-port 137 // NetBIOS Name Service
MS/Windows
add 04250 deny ip from any to any src-port 138 // NetBIOS Datagram
Service MS/Windows
add 04260 deny ip from any to any src-port 139 // NETBIOS Session
Service MS/Windows
add 04270 deny ip from any to any src-port 445 // Microsoft Directory
Services MS/Windows
# *** Traffic shaping ****
add 05100 pass ip from me 22 to any // do not enqueue traffic from bridge ssh
add 05110 pass ip from any to me 22 // do not enqueue traffic to bridge ssh
# 64Kbits
add queue 03101 ip from 200.43.89.19 to any in via rl1 // Roura
add queue 03201 ip from any to 200.43.89.19 in via rl0
add queue 03101 ip from 200.43.89.33 to any in via rl1 // Diblasio
add queue 03201 ip from any to 200.43.89.33 in via rl0
# P2P
add 10000 queue 02299 tcp from any to any src-port 6881-6999 in via
rl0 // P2P BitTorrent
add queue 02299 tcp from any to any dst-port 6881-6999 in via rl0 //
P2P BitTorrent
add queue 01199 tcp from any to any src-port 6881-6999 in via rl1 //
P2P BitTorrent
add queue 01199 tcp from any to any dst-port 6881-6999 in via rl1 //
P2P BitTorrent
add queue 02299 ip from any to any src-port 412 in via rl0 // P2P DirectConnect
add queue 01199 ip from any to any src-port 412 in via rl1 //
Hated_P2P DirectConnect
add queue 02299 ip from any to any src-port 1044-1045 in via rl0 //
P2P DirectFileExpress
add queue 01199 ip from any to any src-port 1044-1045 in via rl1 //
P2P DirectFileExpress
add queue 02299 ip from any to any src-port 1214 in via rl0 // P2P
FastTrack (Kazaa)
add queue 01199 ip from any to any src-port 1214 in via rl1 // P2P
FastTrack (Kazaa)
add queue 02299 ip from any to any src-port 2340 in via rl0 // P2P CuteMX
add queue 01199 ip from any to any src-port 2340 in via rl1 // P2P CuteMX
add queue 02299 ip from any to any src-port 4329 in via rl0 // P2P iMest
add queue 01199 ip from any to any src-port 4329 in via rl1 // P2P iMest
add queue 02299 ip from any to any src-port 4661-4665 in via rl0 //
P2P EDonkey2000
add queue 01199 ip from any to any src-port 4661-4665 in via rl1 //
P2P EDonkey2000
add queue 02299 ip from any to any src-port 4672 in via rl0 // P2P
Edonkey2000 (get more info on this)
add queue 01199 ip from any to any src-port 4672 in via rl1 // P2P
Edonkey2000 (get more info on this)
add queue 02299 ip from any to any src-port 5190 in via rl0 // P2P SongSpy
add queue 01199 ip from any to any src-port 5190 in via rl1 // P2P SongSpy
add queue 02299 ip from any to any src-port 5500-5503 in via rl0 //
P2P HotlineConnect
add queue 01199 ip from any to any src-port 5500-5503 in via rl1 //
P2P HotlineConnect
add queue 02299 ip from any to any src-port 6346 in via rl0 // P2P Gnutella
add queue 01199 ip from any to any src-port 6346 in via rl1 // P2P Gnutella
add queue 02299 ip from any 6666-6668 to any in via rl0 // P2P dcc
add queue 01199 ip from any 6666-6668 to any in via rl1 // P2P dcc
add queue 02299 ip from any to any src-port 6699-6701 in via rl0 // P2P Napster
add queue 01199 ip from any to any src-port 6699-6701 in via rl1 // P2P Napster
add queue 02299 ip from any to any src-port 7668 in via rl0 // P2P Aimster
add queue 01199 ip from any to any src-port 7668 in via rl1 // P2P Aimster
add queue 02299 ip from any to any src-port 7788 in via rl0 // P2P BuddyShare
add queue 01199 ip from any to any src-port 7788 in via rl1 // P2P BuddyShare
add queue 02299 ip from any to any src-port 8311 in via rl0 // P2P Scour
add queue 01199 ip from any to any src-port 8311 in via rl1 // P2P Scour
add queue 02299 ip from any to any src-port 8888-8889 in via rl0 // P2P OpenNap
add queue 01199 ip from any to any src-port 8888-8889 in via rl1 // P2P OpenNap
add queue 02299 ip from any to any src-port 28864-28865 in via rl0 //
P2P hotComm
add queue 01199 ip from any to any src-port 28864-28865 in via rl1 //
P2P hotComm
# Uploads
add 11000 queue 01103 tcp from any to any iplen 0-80 tcpflags ack in
via rl1 // ack
add queue 01101 ip from any to any iplen 0-100 in via rl1 // small packet
add queue 01101 udp from any to any dst-port 53 in via rl1 // DNS query
add queue 01101 ah from any to any in via rl1 // ah authentication header
add queue 01101 esp from any to any in via rl1 // esp encapsulating
security payload
add queue 01101 gre from any to any in via rl1 // gre Generic Routing
Encapsulation
add queue 01101 udp from any to any dst-port 27960 in via rl1 // Enemy Territory
add queue 01102 icmp from any to any in via rl1 // icmp internet
control message protocol
add queue 01104 ip from any to any in via rl1 // Uploads catches rest
# Downloads
add 12000 queue 02201 icmp from any to any in via rl0 // icmp internet
control message protocol
add queue 02201 ip from any to any iplen 0-100 in via rl0 // small packet
add queue 02201 udp from any to any src-port 53 in via rl0 // DNS query
add queue 02201 ah from any to any in via rl0 // ah authentication header
add queue 02201 esp from any to any in via rl0 // esp encapsulating
security payload
add queue 02201 gre from any to any in via rl0 // gre Generic Routing
Encapsulation
add queue 02201 udp from any to any src-port 27960 in via rl0 // Enemy Territory
add queue 02202 tcp from any to any src-port 554 in via rl0 // Real Audio stream
add queue 02202 tcp from any to any src-port 1755 in via rl0 //
Windows Media Audio stream
add queue 02203 ip from any to any in via rl0 // Downloads catches rest
# eof rc.firewall.rules
mkdir /root/kernels
cp /usr/src/sys/i386/conf/GENERIC /root/kernels/BRIDGE
cd /usr/src/sys/i386/conf
ln -s /root/kernels/BRIDGE
ee /root/kernels/BRIDGE
ident BRIDGE
#options INET6 # IPv6 communications protocols
#device gif # IPv6 and IPv4 tunneling # wbridge
#device faith # IPv6-to-IPv4 relaying (translation)
#device plip # TCP/IP over parallel
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPDIVERT
options IPSTEALTH
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options DUMMYNET
options BRIDGE
options HZ=1000
# Optional
options NMBCLUSTERS=4096
# Optional
options DEVICE_POLLING
save file
cd /usr/src
make buildkernel KERNCONF=BRIDGE
make installkernel KERNCONF=BRIDGE
Read Handbook, and all you can find
http://www.freebsd.org/cgi/man.cgi?query=bridge&sektion=4
http://info.iet.unipi.it/~luigi/polling/
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/article.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
Well, cant do more for you, I knew nothing about FreeBSD before i set
up this machine, I learned enough to do this in a week, You can do it
too.
-- Carlos Alloatti calloatti_at_gmail.com _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Thomas Trede: "Re: Best OSPF solution on FreeBSD?"
- Maybe in reply to: Carlos Alloatti: "best sollution (and also simple) to guarantee a bandwidth (Was: Welcome to the "freebsd-isp" mailing list)"
- Next in thread: Timofey V. Chernousov: "Re: best sollution (and also simple) to guarantee a bandwidth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
