once again: rules for natd+ipfw+dummynet
From: Martins Dzelde (martins.dzelde_at_latrude.lv)
Date: 03/16/05
- Previous message: Doug Ambrisko: "Re: IPMI doesn't work..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 17 Mar 2005 00:33:03 +0200 To: freebsd-net@freebsd.org
hi,
i've been searching the web and reading manuals and i cannot figure if i
am setting up my freebsd box correctly. And now i have many question, hope
somen out there have answers for some of them.
So, the system I am aiming to:
+(>
|[Internet Antenna](>
| real ip address: x.x.x.94
| routed network: x.x.x.64/255.255.255.224
+
|
|
+
| [FreeBSD box]
| rl2 -> x.x.x.93 ^connected to antenna
| rl1 -> no ip address, bridging rl2,rl1 (?) to local network >connected
to LAN
| rl0 -> 192.168.29.1 (sharing rl2 with natd+dhcp for
192.168.29.0/255.255.255.0) >connected to LAN
|
+
| [LAN]
| few real&virtual ip addreses with special bandwidth
|/\/\/+
Currently the system described above is working but somehow all the
traffic is consumed completly and I have no ideas if the traffic is goes
withing the real ip address zone (x.x.x.64/27) since there are some
servers running there or the traffic is consumed in the virtual network
(192.168.29.0/24). Or maybe there is a virus in a computer flooding all
the net!
so the problems & questions:
1) how to correctly build euqualy weighted traffic shaping for the network
(x.x.x.64/27) and for (192.168.29.0/24) with few ip address exception for
both networks;
2) how to prevent from flooding network with some kind of virus;
3) which program to use to monitor that everything is shaping correctly,
should i better use iftop, bandwidthd or ipfm ?
4) can i do access control per mac address with ipfw, how ? or should i
use arp tables?
the currents script for rules are:
#external interface
EXTIF=rl2
NATIF=rl0
ipfw pipe 1 config bw 8192kbit/s
# queue for a server using real ip
ipfw queue 1 config pipe 1 weight 30
ipfw add 350 queue 1 ip from x.x.x.66/32 to any out via $EXTIF
ipfw add 351 queue 1 ip from any to x.x.x.66/32 in via $EXTIF
# queue for real ip zone
ipfw queue 2 config pipe 1 weight 30
ipfw add 400 queue 2 ip from x.x.x.64/27 to any out via $EXTIF
ipfw add 401 queue 2 ip from any to x.x.x.64/27 in via $EXTIF
# shape traffic equally
ipfw queue 2 config pipe 1 mask src-ip 0xffffe0
ipfw queue 2 config pipe 1 mask dst-ip 0xffffe0
# queue for 192.168.29.1/24
ipfw queue 3 config pipe 1 weight 30
ipfw add 500 queue 2 ip from 192.168.29.0/24 to any out via $EXTIF
ipfw add 501 queue 2 ip from any to 192.168.29.0/24 in via $EXTIF
# shape traffic equally
ipfw queue 3 config pipe 1 mask src-ip 0xffff00
ipfw queue 3 config pipe 1 mask dst-ip 0xffff00
i feel there are many mistekes in the script above... so, please, help.
and another question:
what flags should i enable or disable using sysctl ?
sysctl net.inet.ip.fw.enable=1
sysctl net.link.ether.ipfw=1
sysctl net.link.ether.bridge.enable=1
sysctl net.link.ether.bridge.config="rl2 rl1" ## <-- should i add rl0
(192.168...) too ?
sysctl net.link.ether.bridge.ipfw=1
sysctl net.inet.ip.fw.one_pass=0 # should i set this to 1 ?
Hope you have an answer for at least one question.
Thanks,
Martins.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Doug Ambrisko: "Re: IPMI doesn't work..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
