gateway/firewall script

From: Aleksandar Simonovski (aleksandar_at_unet.com.mk)
Date: 10/22/03

  • Next message: Jos Backus: "Re: Filtering question: checking for many addresses in a single rule?" 
    Date: Wed, 22 Oct 2003 16:13:53 +0200
To: freebsd-net@freebsd.org

    this is my script, works just fine, it's purpose is to allow just www,ftp and dns requests
    but i get only 6KB/s transfer with config bw 128Kbit/s, and 3KB/s with 64Kbit/s and so on
    and it should be 16KB/s with 128Kbit/s and 8KB/s with 64Kbit/s and do on so is this right or
    i'am missing something?

    any comments on the script would be fine

    INTINF = rl1
    EXTINF = rl0

    # natd is running
    natd -n rl0

    #!/bin/sh
    -f flush
    add 1000 divert 8668 ip from any to any via rl0
    add 1200 allow ip from any to any via lo0
    add 1300 deny ip from any to 127.0.0.1/8
    add 1400 deny ip from 127.0.0.1/8 to any
    add 1500 check-state
    add 1550 allow icmp from any to any keep-state
    add 1600 allow log udp from any to any 53 keep-state out
    add 1610 allow log udp from any to any 53 keep-state in
    #add 1620 allow log udp from any 53 to any keep-state in
    add 1700 queue 1 log tcp from any to any 20,21 keep-state out
    add 1800 queue 2 log tcp from any 20,21 to any keep-state in
    add 2000 queue 3 log tcp from any to any 80 keep-state out
    add 2010 queue 4 log tcp from any to any 80 keep-state in
    #add 2020 queue 5 log tcp from any 80 to any keep-state in
    add 2100 deny log ip from any to any
    queue 1 config weight 5 pipe 1 mask all
    queue 2 config weight 5 pipe 2 mask all
    queue 3 config weight 5 pipe 3 mask all
    queue 4 config weight 5 pipe 4 mask all
    queue 5 config weight 5 pipe 5 mask all
    pipe 1 config bw 128Kbit/s
    pipe 2 config bw 128Kbit/s
    pipe 3 config bw 128Kbit/s
    pipe 4 config bw 128Kbit/s
    pipe 5 config bw 128Kbit/s

    Cheers,
    Aleksandar
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Jos Backus: "Re: Filtering question: checking for many addresses in a single rule?"

    Relevant Pages

    • Re: How to shape VoIP traffic on FreeBSD 4.8 router?
      ... I'd also like to give TCP ACK packets a priority boost. ... > traffic without assimilating bandwidth. ... Define 1 pipe for the entire upstream bandwidth. ... add queue 2 ip from any to any not ssh,telnet,ntp out via oif ...
      (comp.unix.bsd.freebsd.misc)
    • Re: dummynet dropping too many packets
      ... significant queue lenghts and so on. ... Almost everyone has 0 in the last Drp column, ... should do an 'ipfw pipe delete; ...
      (freebsd-net)
    • Re: dummynet dropping too many packets
      ... significant queue lenghts and so on. ... I too think the box is hitting some other global limit and dropping packets. ... should do an 'ipfw pipe delete; ...
      (freebsd-net)
    • Re: Processes not exiting
      ... when there are large number of jobs to process. ... You could put each job in a queue with a flag to say whether it's hard ... create and start workers ... pipe getting full? ...
      (comp.lang.python)
    • Re: Pipe queues
      ... will use a queue of 50 slots by default. ... associated with the pipe. ... you write a 1600byte packet to it, ... As I only care of bandwidth limitation, and not of any packet prioritizing, should I be concerned with what they're saying? ...
      (freebsd-net)