using pf for packet filtering and ipfw's dummynet for bandwidth limiting at the same time

Posted by krdx on Server Fault See other posts from Server Fault or by krdx
Published on 2014-08-25T00:29:42Z Indexed on 2014/08/25 4:22 UTC
Read the original article Hit count: 514

Filed under:
|
|
|

I would like to ask if it's fine to use pf for all packet filtering (including using altq for traffic shaping) and ipfw's dummynet for bandwidth limiting certain IPs or subnets at the same time.

I am using FreeBSD 10 and I couldn't find a definitive answer to this. Googling returns such results as:

  • It works
  • It doesn't work
  • Might work but it's not stable and not recommended
  • It can work as long as you load the kernel modules in the right order
  • It used to work but with recent FreeBSD versions it doesn't
  • You can make it work provided you use a patch from pfsense

Then there's a mention that this patch might had been merged back to FreeBSD, but I can't find it.

One certain thing is that pfsense uses both firewalls simultaneously so the question is, is it possible with stock FreeBSD 10 (and where to obtain the patch if it's still necessary).

For reference here's a sample of what I have for now and how I load things

/etc/rc.conf

ifconfig_vtnet0="inet 80.224.45.100 netmask 255.255.255.0 -rxcsum -txcsum"
ifconfig_vtnet1="inet 10.20.20.1 netmask 255.255.255.0 -rxcsum -txcsum"
defaultrouter="80.224.45.1"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
pf_enable="YES"
pf_rules="/etc/pf.conf"

/etc/pf.conf

WAN1="vtnet0"
LAN1="vtnet1"

set skip on lo0
set block-policy return 

scrub on $WAN1 all fragment reassemble
scrub on $LAN1 all fragment reassemble

altq on $WAN1 hfsc bandwidth 30Mb queue { q_ssh, q_default }
queue q_ssh bandwidth 10% priority 2 hfsc (upperlimit 99%)
queue q_default bandwidth 90% priority 1 hfsc (default upperlimit 99%)

nat on $WAN1 from $LAN1:network to any -> ($WAN1) 

block in all
block out all

antispoof quick for $WAN1
antispoof quick for $LAN1 

pass in on $WAN1 inet proto icmp from any to $WAN1 keep state
pass in on $WAN1 proto tcp from any to $WAN1 port www
pass in on $WAN1 proto tcp from any to $WAN1 port ssh

pass out quick on $WAN1 proto tcp from $WAN1 to any port ssh queue q_ssh keep state
pass out on $WAN1 keep state 

pass in on $LAN1 from $LAN1:network to any keep state

/etc/ipfw.rules

ipfw -q -f flush
ipfw -q add 65534 allow all from any to any
ipfw -q pipe 1 config bw 2048KBit/s
ipfw -q pipe 2 config bw 2048KBit/s
ipfw -q add pipe 1 ip from any to 10.20.20.4 via vtnet1 out
ipfw -q add pipe 2 ip from 10.20.20.4 to any via vtnet1 in

© Server Fault or respective owner

Related posts about freebsd

Related posts about pfsense