On 29.11.2011 02:36, Marek Salwerowicz wrote:
Hello after a longer break ;)
W dniu 2011-10-01 22:02, Freddie Cash pisze:
However, you could setup split-DNS or views and just configure
everything to
connect using hostnames. It's extra work to setup, but does make things
easier down-the-road.
I've set up the DNS with views and since one month everything has been
working perfectly (I set up the firewall at small net5501 soekris box)
- thanks a lot for your help !
I am confused about one thing - I wanted to set up pipes for my DMZ
hosts (not to allow my hosts to consume all the bandwidth).
When I set up the pipes at the beginning of my firewall (before
configuring the NAT) - the whole traffic is blocked.
When I set up the pipes ad the end of firewall - they don't work (even
'ipfw show' shows no packets coming through 'pipe' rules).
This happens 'cause pipe directive "permits" packet by default and it
never reaches nat rule afterward. I would recommend you the following
approach:
first take a look at what a sysctl net.inet.ip.fw.one_pass=0 does. The
default value of 1 makes rules like pipe,nat or netgraph behave as
accept if packet is returned from pipe. If this var is set to 0 than a
packet returned from pipe continues processing from the next rule after
the one it was returned from.
So with the nat for outgoing traffic it would be nice to pipe it before
nat changes src addresses and on the contrary for ingoing traffic pipe
it only after nat dealiases dst address. With this approach you will be
able to classify your packets with their real unmasked addresses and
build more flexible shaping rules.
For ex. this config will allow you to distribute available bandwidth of
the pipe evenly among all your dmz hosts and not to hog it all by one
aggressive host.
sysctl net.inet.ip.fw.one_pass=0
$ipfw pipe 100 config bw 5Mbit/s queue 50
$ipfw queue 200 config pipe 100 mask src-ip 0xffffffff
$ipfw queue 200 ip from $dmz_subnet to any out xmit $if_wan
$ipfw nat 100 ip from $dmz_subnet to any out xmit $if_wan
$ipfw allow ip from $natip to any out xmit $if_wan
Where should be the pipe rules placed?
Does it matter if I do first 'ipfw add pipe 1...' and then 'ipfw pipe
1 config...' ?
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
