Ключевые слова:ipfw, freebsd, traffic, dummynet, bandwidth, shaper, (найти похожие документы)
From: Pavel Ustyugov
Newsgroups: email
Date: Mon, 24 Mar 2008 18:21:07 +0000 (UTC)
Subject: Пример скрипта автоматической настройки dummynet во FreeBSD
Автоматический скрипт настройки firewall (ipfw) + shaper (dummynet)
для двух-интерфейсной шлюзловой машины под FreeBSD. Данный скрипт расчитан на
то, что кроме интернет шлюза, других сервисов на машине нет - иначе придется
сделать соответствующие изменения в фаерволе. В скрипт включена поддержка
шейпера dummynet. Вся конфигурация выполняется в виде списков доступа, что
упрощает настройку фаервола неопытным пользователем, также предусмотрена
некоторая оптимизация, отключающая неиспользуемые правила. Дополнительно
реализованно несколько полезных с хозяйстве вешей (см. ниже коментарии в самом
скрипте). В остальном скрипт базируется на стандартном /etc/rc.firewall.
Что касается использования dummynet: настройка каналов может быть не оптимальной,
но как рабочий вариант вполне годится (man ipfw, man dummynet по вопросам тюнинга).
В крипте используется дуплексная эмуляция канала с отдельной настройкой ширины в
каждом напрвлении, с последующей группировкой пользовательких каналов в коллективную
трубу. Возможна группировка ip адрессов пользователей в произвольное количество
групп (в скрипте реализовано 3 группы, количество групп несложно увеличить) с
возможностью дальнейшего задания толщины канала для каждой группы индивидуально.
И кое-что ещо - смотрите коментарии скрипта.
Скрипт приведен с примером рабочей конфигурации (ip адреса вымышленные).
P.S. может комуто понравится или даже поможет :)
# /etc/rc.firewall
# Firewall (ipfw) + shaper (dummynet) for gateway host (with natd)
# Automated ipfw setup script for FreeBSD
# v 0.7
# (CopyLeft) Pavel Ustyugov aka Pahanivo
#
################################################################################
#
# !!! WARNING !!!
#
# Misconfiguring the firewall can put your computer in an unusable state,
# possibly shutting down network services and requiring console access to
# regain control of it.
#
################################################################################
#
# Usage:
# make your own settings
# copy this file to /etc/rc.firewall
# cd /etc
# ./netstart &
#
# For testing use (only show list of rules, do not apply
# onto current firewall):
# cd /etc
# chmod 744 rc.firewall
# ./rc.firewall testmode
# Warning: if you run ./rc.firewall without arguments or with any other
# arguments - firewall will reloaded and settings will apllied.
#
################################################################################
#
# Before use this firewall you need to compile kernel with options:
# (or load some as module)
#
# #IPFW (required)
# options IPFIREWALL
# #enable verbose mode (for `log` options, optional)
# options IPFIREWALL_VERBOSE
# #enable forward rules (optional)
# options IPFIREWALL_FORWARD
# #default rule - allow any to any (optional)
# options IPFIREWALL_DEFAULT_TO_ACCEPT
#
# #divert socket (required for natd)
# options IPDIVERT
#
# #dummynet shaper (required, if you want use shaper)
# options DUMMYNET
# #enable device polling (recomended)
# #you need enable polling on interface too - man polling
# options DEVICE_POLLING
# #pooling frequency (strongly recomended)
# options HZ=1000 (or HZ=2000)
#
################################################################################
#
# Shaper scheme (for incoming traffice)
# ##############################
#
# --------------------external interface / incoming traffic---------------------
# > >
# > Unrestricted external resources group >
# > res1->all_users >=================== unlimit ====================> >
# > res2->all_users >=================== unlimit ====================> >
# > ... >
# > >
# > Unrestricted users group >
# > internet->users1 >================== unlimit ====================> >
# I internet->users2 >================== unlimit ====================> >
# N ... >
# C >
# O Restricted external resources groups >
# M Group 1 ---+ >
# I res1_1->all_users \ \ >
# N res1_2->all_users >==2048Kbit/s per user==> \ >
# G res1_3->all_users / +-----------------\ >
# > Group 2 10240Kbit/s total > >
# > res2_1->all_users \ +-----------------/ >
# > res2_2->all_users >==1024Kbit/s per user==> / >
# T res3_3->all_users / / >
# R ... ---+ >
# A >
# F Restricted users groups >
# F Group 1 ---+ >
# I internet->user1_1 \ \ >
# C internet->user1_2 >==128Kbit/s per user==> \ >
# > internet->user1_3 / +-----------------\ >
# > Group 2 1024Kbit/s total > >
# > internet->user2_1 \ +-----------------/ >
# > internet->user2_2 >==256Kbit/s per user==> / >
# > internet->user2_3 / / >
# > ... ---+ >
# > >
# > Other ungrouped traffic >============= unlimit ====================> >
# > >
# --------------------external interface / incoming traffic---------------------
#
# Scheme for outgoing traffic absolutely analogous, but outgoing shaper work
# on internal interface and all traffic directions in scheme is inverted.
# Traffic bw for incoming and outgoing shapers setup separately.
#
################################################################################
# Setup
################################################################################
#Prepare to work
##############################
#Before use this script - recomend to set net.inet.ip.fw.autoinc_step=5
#or less. Use sysctl or /etc/sysctl.conf
#System paths
ipfw_cmd="/sbin/ipfw"
grep_cmd="/usr/bin/grep"
dev_null="/dev/null"
################################################################################
#IPFW interfaces setup
##############################
#Interfaces setup
#Outside interface setup
oif="xl0"
onet="123.123.32.0"
omask="255.255.255.248"
oip="123.123.32.1"
#Inside interface setup
iif="fxp0"
inet="192.168.0.0"
imask="255.255.0.0"
iip="192.168.0.1"
################################################################################
#Access lists setup
##############################
#ACL - list of allowed (or denied) IPs or newtworks in CIDR notation
#ACL may contain comments, but any comments in ACL must begin from `#`
#and not contain any space chars (because ACL process by word).
#ACLs maybe used in any script's loop (see below).
#Any of this ACLs maybe loaded from file. Use "`cat /path/file_name`"
#command inside ACL for loading from file.
#Example:
# pass_lan_users_acl="
# 10.0.1.0/24
# 10.0.2.0/24
# `cat /etc/ALLOWED_USERS`
# "
#Denied external hosts
#You can use this for stoping attacks from outside.
deny_wan_hosts_acl="
#flooder
123.123.0.233
"
#From LAN to Internet access
#Denied IPs process before allowed. Access allowed for all IPs in
#allowed ACL except IPs in denied ACL.
#Denied LAN users
deny_lan_users_acl="
#stupids
192.168.10.15
192.168.10.33
"
#Allowed LAN users
pass_lan_users_acl="
192.168.0.0/16
"
#Anti-spambot protection
#Reject all incoming connection from LAN to any external SMTP servers,
#except allowed servers (yes or no)
anti_spambot_enable="yes"
#Allowed SMTP servers
#If this ACL empty, anti-spambot feature will automatically disabled,
#and traffic to any SMTP servers will allowed.
anti_spambot_allowed_servers_acl="
#own_smtp_relay
123.123.32.2
#own_smtp_relay
123.123.32.3
#provider_smtp_relay
123.123.0.11
"
#SSH
#SSH access to this server from outside
pass_ssh_acl="
#admin1
124.124.124.124
#admin2
125.125.125.125
"
#Shaper's ACLs
#Enable shaper (yes or no)
shaper_enable="yes"
#Not shaped external resouces
#All LAN users will have unlimited bw to and from this IPs.
not_shaped_ext_res_acl="
#own_smtp_relay
123.123.32.2
#own_smtp_relay
123.123.32.3
#provider_smtp_relay
123.123.0.11
"
#Not shaped users
#This users will have unlimit bw from and to any.
not_shaped_users_acl="
#Admin's_net
192.168.33.0/24
"
#Shaped external resources - similarly to `shaped user` (see below), but for
#specific external hosts only. Traffic match this shaper not process by
#`shaped user`.
#External resource group 1
shaped_ext_res_g1_name="own_dataservers"
shaped_ext_res_g1_acl="
#own_dataservers
123.123.32.4
123.123.32.5
"
#External resource group 2
shaped_ext_res_g2_name="isp_dataservers"
shaped_ext_res_g2_acl="
#isp_dataservers
123.123.0.2
123.123.0.3
123.123.0.4
"
#External resource group 3
shaped_ext_res_g3_name="servers_3"
shaped_ext_res_g3_acl="
"
#Add more groups below
#...
#Shaped users - will have restricted bw. Other allowed users will have unlimit
#bw from any to any (except shaped external resources). Shaped users separated
#by groups. See below for restrictions setup for all groups.
#Groups process in succession: group 1, group 2 etc. Inside group IPs process
#in list order. Once processed IP (or subnet) will not process more.
#Because overlaps in group and between groups not a problem.
#User group 1
shaped_users_g1_name="slow"
shaped_users_g1_acl="
#looosers
192.168.20.0/24
192.168.21.1
192.168.21.2
"
#User group 2
shaped_users_g2_name="fast"
shaped_users_g2_acl="
#BOSS
192.168.0.5
"
#User group 3
shaped_users_g3_name="default"
shaped_users_g3_acl="
192.168.0.0/16
"
#Add more groups below
#...
################################################################################
#Pipes setup (shaper)
##############################
#Shaped external resources
#External resources group 1
#Pipe's number
shaped_ext_res_g1_pipe_num_in="1011"
shaped_ext_res_g1_pipe_num_out="1012"
#BW
shaped_ext_res_g1_bw_in="3Mbit/s"
shaped_ext_res_g1_bw_out="3Mbit/s"
#Queue size, in slots or KBytes (see man ipfw).
shaped_ext_res_g1_q_in="50"
shaped_ext_res_g1_q_out="50"
#External resources group 2
#Pipe's number
shaped_ext_res_g2_pipe_num_in="1021"
shaped_ext_res_g2_pipe_num_out="1022"
#BW
shaped_ext_res_g2_bw_in="1024Kbit/s"
shaped_ext_res_g2_bw_out="1024Kbit/s"
#Queue size, in slots or KBytes (see man ipfw).
shaped_ext_res_g2_q_in="50"
shaped_ext_res_g2_q_out="50"
#External resources group 3
#Pipe's number
shaped_ext_res_g3_pipe_num_in="1031"
shaped_ext_res_g3_pipe_num_out="1032"
#BW
shaped_ext_res_g3_bw_in="512Kbit/s"
shaped_ext_res_g3_bw_out="512Kbit/s"
#Queue size, in slots or KBytes (see man ipfw).
shaped_ext_res_g3_q_in="40"
shaped_ext_res_g3_q_out="40"
#Add more groups below
#...
#Collective external resource's pipe (max allowed summary bw for
#external resources, except not shaped).
#Pipe's number
sum_shaped_ext_res_pipe_num_in="1901"
sum_shaped_ext_res_pipe_num_out="1902"
#BW
sum_shaped_ext_res_bw_in="6Mbit/s"
sum_shaped_ext_res_bw_out="6Mbit/s"
#Queue size, in slots or KBytes (see man ipfw)
sum_shaped_ext_res_q_in="50"
sum_shaped_ext_res_q_out="50"
#Personal pipe for each user (with separate by group)
#User group 1
#Pipe's number
shaped_users_g1_pipe_num_in="2011"
shaped_users_g1_pipe_num_out="2012"
#BW
shaped_users_g1_bw_in="160Kbit/s"
shaped_users_g1_bw_out="160Kbit/s"
#Queue size, in slots or KBytes (see man ipfw).
shaped_users_g1_q_in="18"
shaped_users_g1_q_out="18"
#User group 2
#Pipe's number
shaped_users_g2_pipe_num_in="2021"
shaped_users_g2_pipe_num_out="2022"
#BW
shaped_users_g2_bw_in="512Kbit/s"
shaped_users_g2_bw_out="512Kbit/s"
#Queue size, in slots or KBytes (see man ipfw).
shaped_users_g2_q_in="40"
shaped_users_g2_q_out="40"
#User group 3
#Pipe's number
shaped_users_g3_pipe_num_in="2031"
shaped_users_g3_pipe_num_out="2032"
#BW
shaped_users_g3_bw_in="256Kbit/s"
shaped_users_g3_bw_out="256Kbit/s"
#Queue size, in slots or KBytes (see man ipfw).
shaped_users_g3_q_in="25"
shaped_users_g3_q_out="25"
#Add more groups below
#...
#Collective user's pipe (max allowed summary bw for users, except not
#shaped).
#Pipe's number
sum_shaped_users_pipe_num_in="2901"
sum_shaped_users_pipe_num_out="2902"
#BW
sum_shaped_users_bw_in="768Kbit/s"
sum_shaped_users_bw_out="768Kbit/s"
#Queue size, in slots or KBytes (see man ipfw)
sum_shaped_users_q_in="50"
sum_shaped_users_q_out="50"
################################################################################
#Numeration
##############################
#All ipfw rules split onto section. First rule in each section
#begin from fixed number. All other rules will numbers by ipfw, consider
#net.inet.ip.fw.autoinc_step. This script use `skipto` rules, because
#needs for fixed number. Usually you don't need to change this values,
#if you have problems this large quantity of rules only.
f_num_acb=1000
f_num_aacb=2000
f_num_outshb=3000
f_num_routshb=4000
f_num_routshb_inj=5500
f_num_uoutshb=6000
f_num_uoutshb_inj=7500
f_num_natb=8000
f_num_inshb=9000
f_num_rinshb=10000
f_num_rinshb_inj=11500
f_num_uinshb=12000
f_num_uinshb_inj=13500
f_num_stdb=14000
f_num_pcb=30000 # please read below about this
f_num_lastb=40000
################################################################################
#Auto-config
##############################
for loop in \
${shaped_ext_res_g1_acl} \
${shaped_ext_res_g2_acl} \
${shaped_ext_res_g3_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
shaped_ext_res_ne_flag="yes"
break
fi
done
for loop in \
${shaped_users_g1_acl} \
${shaped_users_g2_acl} \
${shaped_users_g3_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
shaped_users_ne_flag="yes"
break
fi
done
for loop in ${anti_spambot_allowed_servers_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
anti_spambot_allowed_servers_ne_flag="yes"
break
fi
done
if [ -z ${anti_spambot_allowed_servers_ne_flag} ]; then
anti_spambot_enable="no"
fi
if [ -z ${shaped_ext_res_ne_flag} ] && [ -z ${shaped_users_ne_flag} ]; then
shaper_enable="no"
fi
if [ "$1" = "testmode" ]; then
ipfw_cmd="echo ipfw"
fi
################################################################################
# Firewall rules
################################################################################
#Flush all before set new rules
${ipfw_cmd} -f flush
${ipfw_cmd} -f pipe flush
${ipfw_cmd} -f queue flush
################################################################################
#Loopback rules (required)
${ipfw_cmd} add pass all from any to any via lo0 // loopback
${ipfw_cmd} add deny all from any to 127.0.0.0/8 // loopback
${ipfw_cmd} add deny all from 127.0.0.0/8 to any // loopback
###############################################################################
# Stop spoofing
${ipfw_cmd} add deny all from ${inet}:${imask} to any in via ${oif} // anti-spoofing
${ipfw_cmd} add deny all from ${onet}:${omask} to any in via ${iif} // anti-spoofing
###############################################################################
#Access control
##############################
#Denied external hosts
#Apply deny_wan_hosts_acl
for loop in ${deny_wan_hosts_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add deny all from $loop to any in via ${oif} // denied WAN IPs
fi
done
#Skip all incoming traffic up to divert rules
${ipfw_cmd} add skipto ${f_num_natb} all from any to any in via ${oif} // skip incoming traffic up to NAT
#Allow ICMP for all from inside
${ipfw_cmd} add skipto ${f_num_outshb} icmp from ${inet}:${imask} to any in via ${iif} // allow ICMP for any from inside
#Access from LAN
${ipfw_cmd} add ${f_num_acb} count all from any to any // begin access control block
#Allow SSH from LAN if you are accidentally add yourself in denied users list
for loop in ${deny_lan_users_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_stdb} tcp from ${inet}:${imask} to ${iip} 22 in via ${iif} // allow SSH from LAN for allowed users
break
fi
done
#Apply deny_lan_users_acl
for loop in ${deny_lan_users_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add deny all from $loop to any in via ${iif} // denied LAN IPs
fi
done
#Apply pass_lan_users_acl
for loop in ${pass_lan_users_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_aacb} all from $loop to any in via ${iif} // allowed LAN IPs
fi
done
#Default rule - deny all not in pass_lan_users_acl
${ipfw_cmd} add deny all from any to any in via ${iif} // deny not allowed LAN IPs
#Additional access control
${ipfw_cmd} add ${f_num_aacb} count all from any to any // begin additional access control block
case ${anti_spambot_enable} in
[Yy][Ee][Ss])
#Anti-spambot
#Apply anti_spambot_allowed_servers_acl
for loop in ${anti_spambot_allowed_servers_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_outshb} all from ${inet}:${imask} to ${loop} 25 in via ${iif} // Anti-spambot - allowed servers
fi
done
${ipfw_cmd} add deny log all from ${inet}:${imask} to any 25 in via ${iif} // Anti-spambot - deny all other servers
;;
*)
;;
esac
#Stop windows flood from inside
${ipfw_cmd} add deny all from ${inet}:${imask} to ${inet}:${imask} 135,137-139,445 in via ${iif} // Stop windows flood from inside
###############################################################################
#Inject to pipes (outgoing packets)
##############################
case ${shaper_enable} in
[Yy][Ee][Ss])
${ipfw_cmd} add ${f_num_outshb} count all from any to any // begin shaper block \|out\|
if [ ! -z ${shaped_ext_res_ne_flag} ]; then
#Not shaped resources
#Apply not_shaped_ext_res_acl
for loop in ${not_shaped_ext_res_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_natb} all from ${inet}:${imask} to ${loop} in via ${iif} // skip not shaped resources \|out\|
fi
done
fi
if [ ! -z ${shaped_users_ne_flag} ]; then
#Not shaped users
#Apply not_shaped_users_acl
for loop in ${not_shaped_users_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_natb} all from ${loop} to any in via ${iif} // skip not shaped users \|out\|
fi
done
fi
#External resources pipes
if [ ! -z ${shaped_ext_res_ne_flag} ]; then
${ipfw_cmd} add ${f_num_routshb} count all from any to any // begin external resources shaper block \|out\|
#External resources group 1
#Apply shaped_ext_res_g1_acl
for loop in ${shaped_ext_res_g1_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_routshb_inj} tag ${shaped_ext_res_g1_pipe_num_out} all from ${inet}:${imask} to ${loop} in via ${iif} // tagging \|out\|
shaped_ext_res_g1_ne_flag="yes"
fi
done
#External resources group 2
#Apply shaped_ext_res_g2_acl
for loop in ${shaped_ext_res_g2_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_routshb_inj} tag ${shaped_ext_res_g2_pipe_num_out} all from ${inet}:${imask} to ${loop} in via ${iif} // tagging \|out\|
shaped_ext_res_g2_ne_flag="yes"
fi
done
#External resources group 3
#Apply shaped_ext_res_g3_acl
for loop in ${shaped_ext_res_g3_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_routshb_inj} tag ${shaped_ext_res_g3_pipe_num_out} all from ${inet}:${imask} to ${loop} in via ${iif} // tagging \|out\|
shaped_ext_res_g3_ne_flag="yes"
fi
done
#Add more groups below
#...
${ipfw_cmd} add ${f_num_routshb_inj} count all from any to any // begin inject tagged to pipes block \|out\|
#Inject tagged to pipes
#Per user pipes
if [ ! -z ${shaped_ext_res_g1_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_ext_res_g1_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g1_pipe_num_out} // pipe \(${shaped_ext_res_g1_name}:${shaped_ext_res_g1_bw_out}:${shaped_ext_res_g1_q_out}\) \|out\|
fi
if [ ! -z ${shaped_ext_res_g2_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_ext_res_g2_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g2_pipe_num_out} // pipe \(${shaped_ext_res_g2_name}:${shaped_ext_res_g2_bw_out}:${shaped_ext_res_g2_q_out}\) \|out\|
fi
if [ ! -z ${shaped_ext_res_g3_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_ext_res_g3_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g3_pipe_num_out} // pipe \(${shaped_ext_res_g3_name}:${shaped_ext_res_g3_bw_out}:${shaped_ext_res_g3_q_out}\) \|out\|
fi
#Collective pipe
${ipfw_cmd} add pipe ${sum_shaped_ext_res_pipe_num_out} tag ${sum_shaped_ext_res_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g1_pipe_num_out},${shaped_ext_res_g2_pipe_num_out},${shaped_ext_res_g3_pipe_num_out} // collective pipe \(${sum_shaped_ext_res_bw_out}:${sum_shaped_ext_res_q_out}\) \|out\|
${ipfw_cmd} add skipto ${f_num_natb} all from any to any in via ${iif} tagged ${sum_shaped_ext_res_pipe_num_out} // end of external resources shaper block \|out\|
fi
#User pipes
if [ ! -z ${shaped_users_ne_flag} ]; then
${ipfw_cmd} add ${f_num_uoutshb} count all from any to any // begin users shaper block \|out\|
#User group 1
#Apply shaped_users_g1_acl
for loop in ${shaped_users_g1_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_uoutshb_inj} tag ${shaped_users_g1_pipe_num_out} all from ${loop} to any in via ${iif} // tagging \|out\|
shaped_users_g1_ne_flag="yes"
fi
done
#User group 2
#Apply shaped_users_g2_acl
for loop in ${shaped_users_g2_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_uoutshb_inj} tag ${shaped_users_g2_pipe_num_out} all from ${loop} to any in via ${iif} // tagging \|out\|
shaped_users_g2_ne_flag="yes"
fi
done
#User group 3
#Apply shaped_users_g3_acl
for loop in ${shaped_users_g3_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_uoutshb_inj} tag ${shaped_users_g3_pipe_num_out} all from ${loop} to any in via ${iif} // tagging \|out\|
shaped_users_g3_ne_flag="yes"
fi
done
#Add more groups below
#...
${ipfw_cmd} add ${f_num_uoutshb_inj} count all from any to any // begin inject tagged to pipes block \|out\|
#Inject tagged to pipes
#Per user pipes
if [ ! -z ${shaped_users_g1_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_users_g1_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g1_pipe_num_out} // pipe \(${shaped_users_g1_name}:${shaped_users_g1_bw_out}:${shaped_users_g1_q_out}\) \|out\|
fi
if [ ! -z ${shaped_users_g2_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_users_g2_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g2_pipe_num_out} // pipe \(${shaped_users_g2_name}:${shaped_users_g2_bw_out}:${shaped_users_g2_q_out}\) \|out\|
fi
if [ ! -z ${shaped_users_g3_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_users_g3_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g3_pipe_num_out} // pipe \(${shaped_users_g3_name}:${shaped_users_g3_bw_out}:${shaped_users_g3_q_out}\) \|out\|
fi
#Collective pipe
${ipfw_cmd} add pipe ${sum_shaped_users_pipe_num_out} tag ${sum_shaped_users_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g1_pipe_num_out},${shaped_users_g2_pipe_num_out},${shaped_users_g3_pipe_num_out} // collective pipe \(${sum_shaped_users_bw_out}:${sum_shaped_users_q_out}\) \|out\|
${ipfw_cmd} add skipto ${f_num_natb} all from any to any in via ${iif} tagged ${sum_shaped_users_pipe_num_out} // end of external resources shaper block \|out\|
fi
#Add more pipe groups below
#...
;;
*)
;;
esac
###############################################################################
#Skip all outgoing traffic up to standart rules block
${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${iif} // skip outgoing traffic up to standart rules block
${ipfw_cmd} add ${f_num_natb} count all from any to any // begin NAT block
#NAT rules
${ipfw_cmd} add divert natd all from any to any via ${oif} // NAT
#Stop windows flood from outside
${ipfw_cmd} add deny all from any to ${onet}:${omask} 135,137-139,445 in via ${oif} // Stop windows flood from outside
###############################################################################
#Inject to pipes (incoming packets)
##############################
case ${shaper_enable} in
[Yy][Ee][Ss])
${ipfw_cmd} add ${f_num_inshb} count all from any to any // begin shaper block \|in\|
if [ ! -z ${shaped_ext_res_ne_flag} ]; then
#Not shaped resources
#Apply not_shaped_ext_res_acl
for loop in ${not_shaped_ext_res_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_stdb} all from ${loop} to ${inet}:${imask} in via ${oif} // skip not shaped resources \|in\|
fi
done
fi
if [ ! -z ${shaped_users_ne_flag} ]; then
#Not shaped users
#Apply not_shaped_users_acl
for loop in ${not_shaped_users_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_stdb} all from any to ${loop} in via ${oif} // skip not shaped users \|in\|
fi
done
fi
#External resources pipes
if [ ! -z ${shaped_ext_res_ne_flag} ]; then
${ipfw_cmd} add ${f_num_rinshb} count all from any to any // begin external resources shaper block \|in\|
#External resources group 1
#Apply shaped_ext_res_g1_acl
for loop in ${shaped_ext_res_g1_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_rinshb_inj} tag ${shaped_ext_res_g1_pipe_num_in} all from ${loop} to ${inet}:${imask} in via ${oif} // tagging \|in\|
fi
done
#External resources group 2
#Apply shaped_ext_res_g2_acl
for loop in ${shaped_ext_res_g2_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_rinshb_inj} tag ${shaped_ext_res_g2_pipe_num_in} all from ${loop} to ${inet}:${imask} in via ${oif} // tagging \|in\|
fi
done
#External resources group 3
#Apply shaped_ext_res_g3_acl
for loop in ${shaped_ext_res_g3_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_rinshb_inj} tag ${shaped_ext_res_g3_pipe_num_in} all from ${loop} to ${inet}:${imask} in via ${oif} // tagging \|in\|
fi
done
#Add more groups below
#...
${ipfw_cmd} add ${f_num_rinshb_inj} count all from any to any // begin inject tagged to pipes block \|in\|
#Inject tagged to pipes
#Per user pipes
if [ ! -z ${shaped_ext_res_g1_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_ext_res_g1_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g1_pipe_num_in} // pipe \(${shaped_ext_res_g1_name}:${shaped_ext_res_g1_bw_in}:${shaped_ext_res_g1_q_in}\) \|in\|
fi
if [ ! -z ${shaped_ext_res_g2_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_ext_res_g2_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g2_pipe_num_in} // pipe \(${shaped_ext_res_g2_name}:${shaped_ext_res_g2_bw_in}:${shaped_ext_res_g2_q_in}\) \|in\|
fi
if [ ! -z ${shaped_ext_res_g3_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_ext_res_g3_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g3_pipe_num_in} // pipe \(${shaped_ext_res_g3_name}:${shaped_ext_res_g3_bw_in}:${shaped_ext_res_g3_q_in}\) \|in\|
fi
#Collective pipe
${ipfw_cmd} add pipe ${sum_shaped_ext_res_pipe_num_in} tag ${sum_shaped_ext_res_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g1_pipe_num_in},${shaped_ext_res_g2_pipe_num_in},${shaped_ext_res_g3_pipe_num_in} // collective pipe \(${sum_shaped_ext_res_bw_in}:${sum_shaped_ext_res_q_in}\) \|in\|
${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${oif} tagged ${sum_shaped_ext_res_pipe_num_in} // end of external resources shaper block \|in\|
fi
#User pipes
if [ ! -z ${shaped_users_ne_flag} ]; then
${ipfw_cmd} add ${f_num_uinshb} count all from any to any // begin users shaper block \|in\|
#User group 1
#Apply shaped_users_g1_acl
for loop in ${shaped_users_g1_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_uinshb_inj} tag ${shaped_users_g1_pipe_num_in} all from any to ${loop} in via ${oif} // tagging \|in\|
fi
done
#User group 2
#Apply shaped_users_g2_acl
for loop in ${shaped_users_g2_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_uinshb_inj} tag ${shaped_users_g2_pipe_num_in} all from any to ${loop} in via ${oif} // tagging \|in\|
fi
done
#User group 3
#Apply shaped_users_g3_acl
for loop in ${shaped_users_g3_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add skipto ${f_num_uinshb_inj} tag ${shaped_users_g3_pipe_num_in} all from any to ${loop} in via ${oif} // tagging \|in\|
fi
done
#Add more groups below
#...
${ipfw_cmd} add ${f_num_uinshb_inj} count all from any to any // begin inject tagged to pipes block \|in\|
#Inject tagged to pipes
#Per user pipes
if [ ! -z ${shaped_users_g1_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_users_g1_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g1_pipe_num_in} // pipe \(${shaped_users_g1_name}:${shaped_users_g1_bw_in}:${shaped_users_g1_q_in}\) \|in\|
fi
if [ ! -z ${shaped_users_g2_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_users_g2_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g2_pipe_num_in} // pipe \(${shaped_users_g2_name}:${shaped_users_g2_bw_in}:${shaped_users_g2_q_in}\) \|in\|
fi
if [ ! -z ${shaped_users_g3_ne_flag} ]; then
${ipfw_cmd} add pipe ${shaped_users_g3_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g3_pipe_num_in} // pipe \(${shaped_users_g3_name}:${shaped_users_g3_bw_in}:${shaped_users_g3_q_in}\) \|in\|
fi
#Collective pipe
${ipfw_cmd} add pipe ${sum_shaped_users_pipe_num_in} tag ${sum_shaped_users_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g1_pipe_num_in},${shaped_users_g2_pipe_num_in},${shaped_users_g3_pipe_num_in} // collective pipe \(${sum_shaped_users_bw_in}:${sum_shaped_users_q_in}\) \|in\|
${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${oif} tagged ${sum_shaped_users_pipe_num_in} // end of external resources shaper block \|in\|
fi
#Add more pipe groups below
#...
;;
*)
;;
esac
###############################################################################
#Standart rules
##############################
${ipfw_cmd} add ${f_num_stdb} count all from any to any // begin standart block
#Allow TCP through if setup succeeded
${ipfw_cmd} add pass tcp from any to any established // allow packets RST or ACK bits set
#Allow only secure ICMP types
${ipfw_cmd} add pass icmp from any to any icmptypes 0,3,4,8,11 // allow ICMP 0,3,4,8,11
${ipfw_cmd} add deny log icmp from any to any // deny other ICMP
#Allow IP fragments to pass through
${ipfw_cmd} add pass all from any to any frag // allow IP fragments
#Allow access to our ssh
#Allow from LAN
${ipfw_cmd} add pass tcp from ${inet}:${imask} to ${iip} 22 in via ${iif} // allow SSH from LAN
#From outside
#Apply pass_ssh_acl
for loop in ${pass_ssh_acl}
do
echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
if [ $? -eq 0 ]; then
${ipfw_cmd} add pass tcp from ${loop} to ${oip} 22 in via ${oif} // allow SSH
fi
done
# Block all another packets to 22 port
${ipfw_cmd} add deny log tcp from any to ${oip},${iip} 22 // deny SSH for all other
###############################################################################
#Particular connections block
##############################
#Allow a particular connection to go through the firewall.
#Interval (f_num_pcb - f_num_lastb) must be conformed with `punch_fw` natd
#option if you use this (man natd). Using for dynamic rules created by natd
#for correctly work FTP in active mode through ipfw and similar.
${ipfw_cmd} add ${f_num_pcb} count all from any to any // begin particular connection block
###############################################################################
#Last block
##############################
${ipfw_cmd} add ${f_num_lastb} count all from any to any // begin last block
# Reject and log all setup of incoming connections from the outside
${ipfw_cmd} add deny log tcp from any to ${oip} in via ${oif} setup // reject all incoming TCP connection from outside
# Allow any to any
${ipfw_cmd} add 65534 pass all from any to any // allow from any to any - the end of rules
###############################################################################
#Pipes
##############################
case ${shaper_enable} in
[Yy][Ee][Ss])
#Reject to leave firewall after injecting packets to pipe.
#Else maybe set net.inet.ip.fw.one_pass=0.
${ipfw_cmd} disable one_pass
#pipes config
#External resources pipes
if [ ! -z ${shaped_ext_res_ne_flag} ]; then
#External resources group 1
if [ ! -z ${shaped_ext_res_g1_ne_flag} ]; then
${ipfw_cmd} pipe ${shaped_ext_res_g1_pipe_num_in} config bw ${shaped_ext_res_g1_bw_in} queue ${shaped_ext_res_g1_q_in} mask dst-ip 0xffffffff
${ipfw_cmd} pipe ${shaped_ext_res_g1_pipe_num_out} config bw ${shaped_ext_res_g1_bw_out} queue ${shaped_ext_res_g1_q_out} mask src-ip 0xffffffff
fi
#External resources group 2
if [ ! -z ${shaped_ext_res_g2_ne_flag} ]; then
${ipfw_cmd} pipe ${shaped_ext_res_g2_pipe_num_in} config bw ${shaped_ext_res_g2_bw_in} queue ${shaped_ext_res_g2_q_in} mask dst-ip 0xffffffff
${ipfw_cmd} pipe ${shaped_ext_res_g2_pipe_num_out} config bw ${shaped_ext_res_g2_bw_out} queue ${shaped_ext_res_g2_q_out} mask src-ip 0xffffffff
fi
#External resources group 3
if [ ! -z ${shaped_ext_res_g3_ne_flag} ]; then
${ipfw_cmd} pipe ${shaped_ext_res_g3_pipe_num_in} config bw ${shaped_ext_res_g3_bw_in} queue ${shaped_ext_res_g3_q_in} mask dst-ip 0xffffffff
${ipfw_cmd} pipe ${shaped_ext_res_g3_pipe_num_out} config bw ${shaped_ext_res_g3_bw_out} queue ${shaped_ext_res_g3_q_out} mask src-ip 0xffffffff
fi
#Add more groups below
#...
#Collective user's pipe
${ipfw_cmd} pipe ${sum_shaped_ext_res_pipe_num_in} config bw ${sum_shaped_ext_res_bw_in} queue ${sum_shaped_ext_res_q_in}
${ipfw_cmd} pipe ${sum_shaped_ext_res_pipe_num_out} config bw ${sum_shaped_ext_res_bw_out} queue ${sum_shaped_ext_res_q_out}
fi
#Personal pipes for each user
if [ ! -z ${shaped_users_ne_flag} ]; then
#User group 1
if [ ! -z ${shaped_users_g1_ne_flag} ]; then
${ipfw_cmd} pipe ${shaped_users_g1_pipe_num_in} config bw ${shaped_users_g1_bw_in} queue ${shaped_users_g1_q_in} mask dst-ip 0xffffffff
${ipfw_cmd} pipe ${shaped_users_g1_pipe_num_out} config bw ${shaped_users_g1_bw_out} queue ${shaped_users_g1_q_out} mask src-ip 0xffffffff
fi
#User group 2
if [ ! -z ${shaped_users_g2_ne_flag} ]; then
${ipfw_cmd} pipe ${shaped_users_g2_pipe_num_in} config bw ${shaped_users_g2_bw_in} queue ${shaped_users_g2_q_in} mask dst-ip 0xffffffff
${ipfw_cmd} pipe ${shaped_users_g2_pipe_num_out} config bw ${shaped_users_g2_bw_out} queue ${shaped_users_g2_q_out} mask src-ip 0xffffffff
fi
#User group 3
if [ ! -z ${shaped_users_g3_ne_flag} ]; then
${ipfw_cmd} pipe ${shaped_users_g3_pipe_num_in} config bw ${shaped_users_g3_bw_in} queue ${shaped_users_g3_q_in} mask dst-ip 0xffffffff
${ipfw_cmd} pipe ${shaped_users_g3_pipe_num_out} config bw ${shaped_users_g3_bw_out} queue ${shaped_users_g3_q_out} mask src-ip 0xffffffff
fi
#Add more groups below
#...
#Collective user's pipe
${ipfw_cmd} pipe ${sum_shaped_users_pipe_num_in} config bw ${sum_shaped_users_bw_in} queue ${sum_shaped_users_q_in}
${ipfw_cmd} pipe ${sum_shaped_users_pipe_num_out} config bw ${sum_shaped_users_bw_out} queue ${sum_shaped_users_q_out}
fi
;;
*)
;;
esac
###############################################################################
#The end
#Skip all outgoing traffic up to standart rules block
${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${iif} // skip outgoing traffic up to standart rules block
${ipfw_cmd} add ${f_num_natb} count all from any to any // begin NAT block
#NAT rules
${ipfw_cmd} add divert natd all from any to any via ${oif} // NAT
#Stop windows flood from outside
${ipfw_cmd} add deny all from any to ${onet}:${omask} 135,137-139,445 in via ${oif} // Stop windows flood from outside
${ipfw_cmd} add ${f_num_natb} count all from any to any // begin NAT block
#Skip all outgoing traffic up to standart rules block
${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${iif} // skip outgoing traffic up to standart rules block
#NAT rules
${ipfw_cmd} add divert natd all from any to any via ${oif} // NAT
#Stop windows flood from outside
${ipfw_cmd} add deny all from any to ${onet}:${omask} 135,137-139,445 in via ${oif} // Stop windows flood from outside
Вы просто не умеете готовить IPFW и NATD. Использую их еще с R2.2.1, и никаких проблем не возникало. С учетом того, что с некоторых пор трансляция адресов сидит в ядре фрей, единственный существенный аргумент против натд (повышенная нагрузка, связанная с переключениями контекста) актуальность потерял.
Если же вам сложно прописать правила форварда для корректной работы сервисов, то разве это проблема файрволла?
Вопросик: как заставить программу (torrent-клиент) запущенную на самом шлюзе участвовать в процессе дележки трафика через dummynet? А то она напрямую шлет свои пакеты на default gateway, то есть работает параллельно с dummynet.
Можно ли как-то привязать программу к внутреннему интерфейсу, чтобы пакеты с внутреннего интерфейса пересылались на внешний, проходили NAT, dummynet и потом уже шли в инет?
люди плз объясните мне что с этим делать? прописывать в конф файлы? или это можно как то скопипастить и запустить на выполнение?! а то я перепробовал пару-тройку статей по настройке дамминета, но ни поодной у меня не заработало... ЗЫ и не бейте сильно, я полный дуб пока в этом...