# Which one best suits my requirements



## Amanat (Feb 17, 2010)

i wana install firewall on my freebsd Gateway Server, with transparent squid.

I want  to block MAC, IP , Transparent squid, COS, QOS, Bandwidth shaping, Block P2P, Squidguard or dansguardian.

I wana opt for PF, with ALTQ

Which one would u suggest with all the above functionalities.

either pf or IPFW?

PLz be precise.

Warm Regards!


----------



## SirDice (Feb 17, 2010)

Blocking MAC addresses is useless. It's also not possible with either firewall. Not easily anyway.


----------



## aragon (Feb 17, 2010)

ipfw can match on MAC address.  Read ipfw(8).

But you can use ipfw and pf together too... as well as do MAC address filtering in squid itself.


----------



## Amanat (Feb 17, 2010)

SirDice said:
			
		

> Blocking MAC addresses is useless. It's also not possible with either firewall. Not easily anyway.



using tables in pf, it seams possible.


----------



## DutchDaemon (Feb 17, 2010)

Do you have a bridged network then? Then again: MAC address spoofing is easy as pie.


----------



## phoenix (Feb 17, 2010)

SirDice said:
			
		

> Blocking MAC addresses is useless. It's also not possible with either firewall. Not easily anyway.



It's actually fairly easy to do with IPFW, but the syntax is a little hard on the eyes.  IP adresses are listed "from source to dest" but MAC is listed "dest src".


```
# MAC addresses to block
# These only take effect if sysctl net.link.ether.ipfw=1
BAD_MACS_F=" { MAC any 00:1E:68:C7:B7:AF or MAC any 00:11:24:3E:FA:86 }"
BAD_MACS_R=" { MAC 00:1E:68:C7:B7:AF any or MAC 00:11:24:3E:FA:86 any }"


# Block Internet access by MAC address
# Allow ARP traffic                   
$IPFW add 4 allow ip from any to any layer2 mac-type arp

# Block ethernet traffic from specific MAC addresses (note: MACs are listed in "dest src" order)
$IPFW add 5 deny ip from any to any $BAD_MACS_F in recv $PRIVATE                                

# Block ethernet traffic to specific MAC addresses (note: MACs are listed in "dest src" order)
$IPFW add 6 deny ip from any to any $BAD_MACS_R out xmit $PRIVATE                             

# Allow ethernet traffic
$IPFW add 7 allow ip from any to any MAC any any
```


----------



## Amanat (Feb 18, 2010)

DutchDaemon said:
			
		

> Do you have a bridged network then? Then again: MAC address spoofing is easy as pie.


Yes I am doing natting for my large network, suing single public ip.


----------



## SirDice (Feb 18, 2010)

Amanat said:
			
		

> Yes I am doing natting for my large network, suing single public ip.



NAT != bridge


----------



## DutchDaemon (Feb 18, 2010)

Indeed. MAC address tagging and handling can only be done on a bridge: http://www.openbsd.org/faq/pf/tagging.html#ethernet


----------



## Amanat (Feb 18, 2010)

Yes Dear NAT != bridge, Sorry. i am using nat

By this technique we can allow list of clients which are allowed, 


```
client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http,https, 446, cvspserver, 2628, 5999, 8000, 8080 }"
```


```
table <clients> persist file "/etc/clients"
pass inet proto tcp from <clients> to any port $client_out \
         flags S/SA keep state
```

but i cant use this, because i have more then thousand clients.
now doing its opposite

1.

```
table <clients> persist file "/etc/clients"
block inet proto tcp from <clients> to any port $client_out
```

2.

```
table <clients> persist file "/etc/clients"
block inet proto tcp from <clients> to any port $client_out \
         flags S/SA keep state
```
or
3.

```
table <clients> persist file "/etc/clients"
block drop in quick on $int_if from <clients> to any
```

which one is best, any good combination of all three ???

will it work for putting all MAC's in a file e.g "/etc/blocked-mac-add"

where "/etc/blocked-mac-add" contains MAC address

e.g

```
1A:2B:3D:4D:5D:6D
1A:2B:3D:4D:5D:7D
```

Any Suggestions and ideas!


----------



## DutchDaemon (Feb 19, 2010)

You lost me completely.


----------



## Amanat (Feb 19, 2010)

After googling, i came to know bridge will be the solution.

Does IPFW had tabling technique, because i didn't found.


----------



## DutchDaemon (Feb 19, 2010)

If you decide to use a bridge, you might as well use pf with tables.
If you decide to use ipfw, you might as well stick with NAT.

http://forums.freebsd.org/showthread.php?t=5896


----------



## Amanat (Feb 19, 2010)

It was very nice, i read serveral tutorials and howtos for pf, for the time being i prefer pf and for bridge i m confused.

pf support reading from files, while ipfw doesnt.

ipfw allow mac filtering but pf doesnt.

bridge with pf is new for me as long as i am not much familiar with pf.

i wana say that what will be the combination?

as i put these two in /etc/rc.conf

```
squid_enable=â€YESâ€
pf_enable=â€YESâ€
```

then use [cmd=]kldload pf[/cmd]

then use [cmd=]pfctl -e[/cmd]

insert some rules in pf.conf

e.g

```
rdr on rl0 proto tcp from 172.21.0.0/24 to !172.21.0.0/24 port 80  -> 127.0.0.1    port 3129
```

and transparent squid start working

did i need nat in combination with the above command, as above line is working i think, its of no need, what u ppl say.

as i am using both.


```
# NAT for Local Area Network (LAN)
nat on xl0 inet from rl0 to any -> xl0
```

both are necessary or not?

if not how can i add bridge, if bridge, i have to remove nat or not?

Regards!


----------



## DutchDaemon (Feb 19, 2010)

Amanat, time you read this: *Posting and Editing in the FreeBSD Forums*. Please stop playing with colours and use proper formatting tags for system output and such.


----------



## Amanat (Feb 19, 2010)

DutchDaemon said:
			
		

> Amanat, time you read this: *Posting and Editing in the FreeBSD Forums*. Please stop playing with colours and use proper formatting tags for system output and such.



Thanks! You will find the next post with tags.


----------



## DutchDaemon (Feb 19, 2010)

If you allow no traffic out, except (non-SSL) web traffic, you won't need NAT. Squid will listen on 127.0.0.1 and use the external connection to get web pages from the Internet. You don't even need IP-forwarding in that scenario. If you want to allow http*s* as well (which *cannot* be proxied *transparently*), you'll need NAT and IP-forwarding. If you want to allow _any other non-http_ traffic, you'll need NAT and IP-forwarding.

Except for NAT, the same goes for a bridge setup, which does need a special route-to statement to allow transparent proxying (it's on the forums somewhere).

Tip: get a grasp of these concepts before you start asking more questions. It's very difficult to explain stuff that presupposes some fundamental knowledge of routing. There's tons of docs out there, and you can't rely on these forums for your entire education, and nobody wants to read and troubleshoot every config option and each pf.conf version you use ...


----------



## Amanat (Feb 19, 2010)

Dear All,
         I found a step by step how to on pf and ALTQ HFSC, i need your expert opinion before deploying it.

http://www.tutorialized.com/view/tutorial/FreeBSD-Router-with-Traffic-Shaping-with-PF-and-ALTQ-HFSC/36101

Comments Plz!


----------



## DutchDaemon (Feb 19, 2010)

Why don't you just try it out? We can't (and won't) decide for you every step of the way..


----------



## Amanat (Feb 19, 2010)

DutchDaemon said:
			
		

> If you allow no traffic out, except (non-SSL) web traffic, you won't need NAT. Squid will listen on 127.0.0.1 and use the external connection to get web pages from the Internet. You don't even need IP-forwarding in that scenario. If you want to allow http*s* as well (which *cannot* be proxied *transparently*), you'll need NAT and IP-forwarding. If you want to allow _any other non-http_ traffic, you'll need NAT and IP-forwarding.
> 
> Except for NAT, the same goes for a bridge setup, which does need a special route-to statement to allow transparent proxying (it's on the forums somewhere).
> 
> Tip: get a grasp of these concepts before you start asking more questions. It's very difficult to explain stuff that presupposes some fundamental knowledge of routing. There's tons of docs out there, and you can't rely on these forums for your entire education, and nobody wants to read and troubleshoot every config option and each pf.conf version you use ...



Sir,
     Using squid arp acl i am blocking MAc address and using pf i am using NAT and Transparent proxy.

I have completed setting up my freebsd transparent proxy server with squid+ delay pool + pf + NAT.

The thing left is bandwith shaping, using delay pools in squid i can control download rate but i cannot manage upload. i wana manage it using pf ALTQ HSFC. if possible as i found the tutorial. the link i alreay mentioned, again it is http://www.tutorialized.com/view/tutorial/FreeBSD-Router-with-Traffic-Shaping-with-PF-and-ALTQ-HFSC/36101
I need ur expert opinion on this tutorial.

Regards!


----------



## Amanat (Feb 19, 2010)

DutchDaemon said:
			
		

> Why don't you just try it out? We can't (and won't) decide for you every step of the way..



With apologies sir, i just wanted 
	
	



```
comments
```
 from anybody.


----------



## DutchDaemon (Feb 19, 2010)

You got them. The experimenting and deciding is up to you.


----------



## Amanat (Feb 19, 2010)

Sure Sir, I will be  postingmy firewall when i finish, so that you ppl may just have a look and suggest changes, if required, i am a newbie, to pf, and there must be improvements, as improvement window/door is always open.

Let me complete.


----------



## phoenix (Feb 19, 2010)

Amanat said:
			
		

> pf support reading from files, while ipfw doesnt.



Not true.  IFPW is just a command, like any other.  Which means, you can wrap it up in a shell script, and do anything you want.

You can make things as simple as you want (just put everything into one file, like /etc/rc.firewall does it).  Or as complex as you want (my firewalls have multiple scripts with a separate configuration file and a tables file).

IOW, if you want to put a list of IPs into a separate text file, then have IPFW use that to generate block rules, you can.


----------



## Amanat (Feb 22, 2010)

*why the traffic is going out default queue*

i am posting my firewall, all the traffic is going inside and out using default queue.

Am i doing something wrong


```
# Macros
 # Interfaces
 ext_if = "xl0"
 int_if = "rl0"

 # IP address
 bsd = "10.0.0.12/32"
 ext_ip = "111.111.111.112/32"
 pc1    = "10.0.47.48"
 pc2    = "10.0.47.50"
 extnet = "111.111.111.0/27"
 lannet ="10.0.0.0/8"

   # Normalization
   # Define a policy for blocking packets
   set block-policy drop

   # The behavior of the packet filter using the state table
   set state-policy floating

   # Log interface
   set loginterface $ext_if

   # Set the type of optimization
   set optimization normal

   # Ignore filtration on the ring interface
   set skip on lo0

   # Normalization of all inbound traffic on all interfaces
   scrub in all

# Queueing

altq on $ext_if hfsc bandwidth 10Mb queue {pc1_up, pc2_up, \ def_up}
altq on $int_if hfsc bandwidth 10Mb queue {pc1_down, pc2_down, \ def_down}

queue pc1_up bandwidth 2Mb priority 6  hfsc(realtime 1Mb \ linkshare 50% upperlimit 2Mb)
queue pc1_down bandwidth 2Mb priority 6 hfsc(realtime 1Mb \ linkshare 50% upperlimit 2Mb)

queue pc2_up bandwidth 2Mb priority 5 hfsc(realtime 1Mb \ linkshare 40% upperlimit 2Mb)
queue pc2_down bandwidth 2Mb priority 5 hfsc(realtime 1Mb \ linkshare 40% upperlimit 2Mb)

queue def_up bandwidth 128Kb priority 0 hfsc(realtime 128Kb \ linkshare 10% upperlimit 256Kb default)
queue def_down bandwidth 128Kb priority 0 hfsc(realtime 128Kb \ linkshare 10% upperlimit 256Kb default)


# NAT & RDR
# NAT for Local Area Network (LAN)
  nat on $ext_if inet from $lannet to any -> $ext_ip

# Send the local Internet users in the squid.
rdr on $int_if proto tcp from $lannet to any port www -> \ 127.0.0.1 port 3128

# Filter rules

# Lock all
block log all

# Allow icmp
pass inet proto icmp icmp-type echoreq

# Allow DNS to lan net
pass in on $int_if proto udp from $lannet to $bsd port domain

# Allow SSH to internal and external
pass in on $int_if proto tcp from $lannet to $bsd port ssh
pass in on $ext_if proto tcp from any to $ext_if port ssh

 # Test the full output for debugging
 pass in on $int_if from $lannet to any

# .. Pass rules, Shaping for PC1
pass in quick on $ext_if from any to $pc1
pass out quick on $int_if from any to $pc1 queue pc1_down

pass in quick on $int_if from $pc1 to any
pass out quick on $ext_if from $pc1 to any queue pc1_up

# .. Pass rules, Shaping for PC2
pass in quick on $ext_if from any to $pc2
pass out quick on $int_if from any to $pc2 queue pc2_down

pass in quick on $int_if from $pc2 to any
pass out quick on $ext_if from $pc2 to any queue pc2_up

 # Allow the gateway to our full output from both interfaces
pass out on $ext_if proto tcp from any to any
pass out on $ext_if proto udp from any to any keep state
pass out on $int_if proto tcp from any to any
pass out on $int_if proto udp from any to any keep state
```


All of my network traffic including pc1, pc2 and lannet is going through default queue.

Plz correct me where i am doing mistake.


----------



## DutchDaemon (Feb 22, 2010)

For starters, you need queue statements on your 'pass in' rules as well, or return traffic caused by those rules will not be queued properly.


----------



## Amanat (Feb 22, 2010)

DutchDaemon said:
			
		

> For starters, you need queue statements on your 'pass in' rules as well, or return traffic caused by those rules will not be queued properly.



Nice to see new edit button.

Sir, what i got.


```
# .. Pass rules, Shaping for PC1
pass in quick on $ext_if from any to $pc1 [color="Red"]queue pc1_down[/color]
pass out quick on $int_if from any to $pc1 queue pc1_down

pass in quick on $int_if from $pc1 to any [color="Red"]queue pc1_up[/color]
pass out quick on $ext_if from $pc1 to any queue pc1_up

# .. Pass rules, Shaping for PC2
pass in quick on $ext_if from any to $pc2 [color="Red"]queue pc2_down[/color]
pass out quick on $int_if from any to $pc2 queue pc2_down

pass in quick on $int_if from $pc2 to any [color="Red"]queue pc2_up[/color]
pass out quick on $ext_if from $pc2 to any queue pc2_up
```

I made the changes in red, but still the same.

Am i doing right, if not plz send me link of any solution which works from internet, if any. i.e to understand how it works. {HFSC)

Regards!


----------



## Amanat (Feb 24, 2010)

Thanks to all who supported in everyaspect, Experts on this forum are doing very well, Good Job1

A tutorial with working examples will be updated on Computer Scientists at Pakistan blog soon.

Warm Regards!


----------



## vitalic (Mar 20, 2011)

Amanat said:
			
		

> Thanks to all who supported in everyaspect, Experts on this forum are doing very well, Good Job1
> 
> A tutorial with working examples will be updated on Computer Scientists at Pakistan blog soon.
> 
> Warm Regards!



Hi. I see you solved your problem. Can you post your ruleset here. I have the same problem.

Thanks!


----------



## Amanat (Mar 20, 2011)

*available*

http://blog.csatpk.com/tag/freebsd/page/3/


----------

