# Dummynet and IPFW - don't limit the bandwith



## panikaa (Jul 25, 2012)

Hi!
I Have a problem, I have a dedicated server in OVH, FreeBSD 9.0 x64, kernel compiled with options IPFW + Dummynet and HZ.
I take my kernel config, ipfw rules, kldstat and anything else we need to help me.
kldstat:

```
kldstat
Id Refs Address            Size     Name
 1    1 0xffffffff80200000 1238498  kernel
```
Kernel config:

```
#ipfw
options		IPFIREWALL # required for IPFW
options		IPFIREWALL_VERBOSE # optional; logging
options 	IPFIREWALL_VERBOSE_LIMIT=10 # optional; don't get too many log entries
options 	IPDIVERT # needed for natd
options		DUMMYNET
options		HZ=1000
```
rc.conf

```
#ipfw
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
dummynet_enable="YES"
```
ipfw.rules

```
IPF="ipfw add"
ipfw -f flush
ipfw -f pipe flush
ipfw pipe 2 config bw 2Mbit/s
ipfw pipe 3 config bw 4Mbit/s
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow all from any to any 5525 in
$IPF 115 allow all from any to any 5525 out
$IPF 120 pipe 3 tcp from any to any 80 in
$IPF 134 pipe 3 tcp from any to any 80 out
and many more...
```
sysctl.conf

```
net.link.ether.ipfw=1
```

I need Help...
Thanks!


----------



## dalecosp (Jul 25, 2012)

I'm not sure I understand what the problem is that you need to be helped with?

If you don't want to limit bandwidth, omit all the "pipe" lines.

If your pipes aren't being limited as you expect, I'm not *sure* what is wrong.  It does seem a little strange, though, to configure the pipes before they are added.  I might try moving the "pipe config" lines to a place *after* the pipe is configured.


----------



## phoenix (Jul 27, 2012)

Rules are checked in order, and the first match wins.

You are allowing all traffic out, near the start of your ruleset.

Then, at the end, you have your pipe rules, which will never match.

Check the ouput of `# ipfw show` to see which packets are matching.

I've found that when you want to do advanced packet filtering, like traffic shaping, you don't want to use stateful filtering. At least, not with IPFW. It gets complicated.

Also, be very specific in your rules. Include both the direction (in recv / out xmit) and the network interface.

Something like the following should do what you want:

```
IPF="ipfw"
$IPF -f flush
$IPF -f pipe flush
$IPF pipe 2 config bw 2Mbit/s
$IPF pipe 3 config bw 4Mbit/s

#loopback
$IPF add 10 allow ip from any to any via lo0
$IPF add 20 deny all from any to 127.0.0.0/8
$IPF add 30 deny all from 127.0.0.0/8 to any 

$IPF add 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF add 100 pipe 3 tcp from any to any 20-22,25,53,80 out xmit $PUB
$IPF add 110 pipe 3 tcp from any 20-22,25,53,80 to any in recv $PUB established

$IPF add 120 pipe 2 tcp from any to any 5525 in recv $PUB
$IPF add 130 pipe 2 tcp from any 5525 to any out xmit $PUB established

...etc...
```

'pipe' can be treated like an 'allow'. The rule matches, the packet is sent to the pipe, and the searth terminates.

Remove the sysctl option you listed. It enables layer-2 (ethernet) filtering, and causes every packet to be sent through the ruleset twice (once with MAC addresses, then again with IP addresses):


----------

