# PF + Dummynet + FreeBSD 8.2 problem



## msurucu (Jul 8, 2011)

Hello,

I used PF and dummynet together about two years and worked fine. 
Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't work anymore.
If any packet belong the client IP puts any pipe, it drops and pflog says it blocked by last pf rule. But it match previous rule.
If i disable (flush) the ipfw rules, packets pass normally.

Does anybody have same experience?


```
#tcpdump -nettt -i pflog0 -s 256 | grep [B]10.10.10.251[/B]
00:00:00.127448 rule 471/0(match): block in on bce1: 74.209.160.12.80 > [B]10.10.10.251[/B].60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
00:00:00.054181 rule 471/0(match): block in on bce1: 74.209.160.12.80 > [B]10.10.10.251[/B].60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
00:00:00.000935 rule 471/0(match): block in on bce1: 74.209.160.12.80 > [B]10.10.10.251[/B].60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
00:00:00.217543 rule 471/0(match): block in on bce1: 74.209.160.12.80 > [B]10.10.10.251[/B].60622: Flags [S.], seq 626280344, ack 4278536801, win 32768, options [mss 1460,nop,wscale 0], length 0
```


```
#pfctl -vvsr
@471 block drop in log on bce1 all
  [ Evaluations: 16084     Packets: 5254      Bytes: 432799      States: 0     ]
  [ Inserted: uid 0 pid 17409 ]
@472 block drop out log on bce1 all
  [ Evaluations: 19982     Packets: 14717     Bytes: 1078591     States: 0     ]
  [ Inserted: uid 0 pid 17409 ]
```


```
#uname -a
FreeBSD blabla.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Jul  8 17:04:18 EEST 2011     root@blabla.com:/usr/src/sys/amd64/compile/FW2KERNEL3  amd64
```


```
#cat FW2KERNEL3
...
options IPFIREWALL
#options IPSTEALTH
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options DUMMYNET
options HZ=8000
```


```
#cat /etc/rc.conf
...
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pf_rules="/etc/pf.conf"
firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
...
```


```
#cat pf.conf
#
#
###
### MACROS
###
#
dis_uc="bce1"
ic_uc="bce0"
TCP_FLAGS=""
KS="keep state"
tcp_services_in="{ 5004, 6891:6900, 9000 }"
utorrent_in="{ 22588 }"
tcp_services_out = "{ 23, www, auth, pop3, pop3s ... }
udp_services_out = "{ pop3s, imaps, ... }"
denied_services = "{ 113, 137, 138, 139 }"
icmp_types = "{ echoreq, unreach }"
...
### OPTIONS
###
#
set limit states      10000000
set limit src-nodes      50000
set limit frags          10000
set limit tables          5000
set limit table-entries 250000
###
### NORMALIZATION
###
scrub   in   all
scrub   out  all
###
### NAT
###
...
nat on $dis_uc from [B]10.10.10.0[/B]/24  to any ->  SOME.IP/32      
...
###
### FILTER
###
...
pass out quick on $dis_uc inet proto tcp from any to any port $tcp_services_out $TCP_FLAGS $KS
pass out quick on $dis_uc inet proto udp from any to any port $udp_services_out $KS
...
block in log on $dis_uc all
block out log on $dis_uc all
```


```
#cat /etc/ipfw.rules
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
cmd2="ipfw -q"
$cmd2 table 1 flush
$cmd2 table 1 add [B]10.10.10.251[/B]/32
$cmd2 pipe flush
$cmd pipe 1 ip from any to "table(1)" in
$cmd2 pipe 1 config bw 13Mbit/s
```

If i disable last input rule "block in log on $dis_uc all", then *10.10.10.251* has 12-13 Mbit limit.

Sorry for poor English.


----------



## msurucu (Jul 13, 2011)

Any suggestions?


----------



## msurucu (Jul 15, 2011)

*Solved*

I tried many configurations, one of them work.





Uploaded with ImageShack.us


----------



## SirDice (Jul 15, 2011)

Don't use two different firewalls. Use either PF/ALTQ or IPFW/Dummynet, not a combination of both.


----------



## msurucu (Jul 15, 2011)

A combination of both better than one of them 
ALTQ doesn't have bw limit per IP, so i must use dummynet for my network.
IPFW is good firewall but natd is not good solution for NAT process.
And about 4 or 5 years, it has worked very well.
(PFSense use same combination but include some hacking)


----------



## SirDice (Jul 15, 2011)

msurucu said:
			
		

> A combination of both better than one of them


You'll run into some very odd interactions, as you've already found out.


----------

