Re: Generic IP Firewalling Chains

Rob van Nieuwkerk (robn@verdi.et.tudelft.nl)
Tue, 19 Aug 1997 16:31:58 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jim Freeman: "Re: UTF-8, OSTA-UDF ==> iconv() ?"
Previous message: Ingo Molnar: "Re: autofs freezes in _dlookup? [Re: 2.1.51 Still Freezing]"
Maybe in reply to: Paul Rusty Russell: "Generic IP Firewalling Chains"

Hi Paul,

> We (Michael Neuling and I) have finally released our patch for
> more sophisticated IP firewalling; it's different enough from the
.
.
> byte counters. I have two questions for those in the know:

> 2) Does anyone actually use TOS setting? Why is it that ip_fw.c

Yes, I *do* use it. Especially the "Minimum Delay" is important for
me. I switch it on for "interactive" packets in my upstream (Linux)
router. I'm behind a 33k6 modem link. Linux prioritizes packets
in 3 queues. This way I get acceptable interactive performance
while doing bulk downloads at the same time. (It could even be better
if there wasn't such a big queue in the serial driver, but latency
is kept down 1.5 seconds now).

> mangles the TOS rules so that "minimise cost" can never be effected?

No it works correctly (I wrote the code :-)

Greetings,
Rob van Nieuwkerk

Some (TOS-related) pieces from my firewall script:
------------------------------------------------------------------
ANYWHERE="0.0.0.0/0"

TOS_MIN_DELAY="0x00 0x10"
TOS_MAX_THROUGHPUT="0x00 0x08"
TOS_MAX_RELIABILITY="0x00 0x04"
TOS_MIN_COST="0x00 0x02"

MIN_DELAY_TCP_PORTS="ftp telnet login ntp"
MIN_DELAY_UDP_PORTS="domain ntp tftp"
MAX_THROUGHPUT_TCP_PORTS="ftp-data"
MAX_THROUGHPUT_UDP_PORTS=""
MAX_RELIABILITY_TCP_PORTS=""
MAX_RELIABILITY_UDP_PORTS="snmp"
MIN_COST_TCP_PORTS="nntp"
MIN_COST_UDP_PORTS=""

########################## Output rules
# Type Of Service correction
ipfwadm -O -a accept -b -P tcp -S $ANYWHERE $MIN_DELAY_TCP_PORTS -t $TOS_MIN_DELAY
ipfwadm -O -a accept -b -P udp -S $ANYWHERE $MIN_DELAY_UDP_PORTS -t $TOS_MIN_DELAY
ipfwadm -O -a accept -b -P tcp -S $ANYWHERE $MAX_THROUGHPUT_TCP_PORTS -t $TOS_MAX_THROUGHPUT
ipfwadm -O -a accept -b -P udp -S $ANYWHERE $MAX_RELIABILITY_UDP_PORTS -t $TOS_MAX_RELIABILITY
ipfwadm -O -a accept -b -P tcp -S $ANYWHERE $MIN_COST_TCP_PORTS -t $TOS_MIN_COST
------------------------------------------------------------------

verdi /home/robn 24 % /sbin/ipfwadm -Ole
IP firewall output rules, default policy: accept
pkts bytes type prot opt tosa tosx ifname ifaddress source destination ports
338 15540 acc tcp b--- 0x01 0x10 any any anywhere anywhere ftp,telnet,login,ntp -> any
6695 878K acc udp b--- 0x01 0x10 any any anywhere anywhere domain,ntp,tftp -> any
12933 517K acc tcp b--- 0x01 0x08 any any anywhere anywhere ftp-data -> any
0 0 acc udp b--- 0x01 0x04 any any anywhere anywhere snmp -> any
1402 56192 acc tcp b--- 0x01 0x02 any any anywhere anywhere nntp -> any

Next message: Jim Freeman: "Re: UTF-8, OSTA-UDF ==> iconv() ?"
Previous message: Ingo Molnar: "Re: autofs freezes in _dlookup? [Re: 2.1.51 Still Freezing]"
Maybe in reply to: Paul Rusty Russell: "Generic IP Firewalling Chains"