UNIX System Administration Handbook - Evi Nemeth [201]
ipfw includes support for “dummynet”, a nice feature that lets you play with your Internet traffic by setting bandwidth and queue length limits and by simulating delays and losses. Dummynet was originally designed as a testing tool for TCP congestion control, but it turned out to be useful in a variety of other contexts. It has recently been used for tasks such as limiting the bandwidth consumed by one customer on a DSL line and limiting the bandwidth consumed by web or FTP traffic so that interactive traffic remains speedy. A slow home link with a popular set of web or FTP data might “pipe” packets to dummynet to keep them from flooding the link. See the dummynet man page for details on its integration with ipfw.
ipfw is easy to use and has a syntax similar to that of Cisco’s access lists. To implement NAT with ipfw, use the natd program in /sbin.
As when configuring ipchains on Linux, you run the ipfw command once to establish each filtering rule. A complete ipfw configuration takes the form of a shell script that runs a series of ipfw commands. We include a partial ipfw configuration below to illustrate the command’s syntax, but we provide no detailed coverage.
You can compare the example below to the IPFilter examples on page 335 to get a feel for each system. In this example, de0 is the external interface and ed1 is the internal interface. The third parameter of each line identifies the rule number; rules are processed in numeric order, from smallest to largest. The ordering is important because the first rule that matches determines what action will be taken.
# freebsd ipfw file
# First flush any old rules laying around
ipfw -f flush
# Allow everything from the dhcp server and gw.syanck.net
ipfw add 500 allow ip from 128.138.129.136 to any
ipfw add 510 allow ip from 209.180.251.58 to any
# Allow ssh in and out
ipfw add 600 allow tcp from any to any 22 in via de0
ipfw add 605 allow tcp from any 22 to any in via de0
# Weird hack to allow arp packets over the bridge
ipfw add 1000 allow udp from 0.0.0.0 2054 to 0.0.0.0
Other rules let DNS traffic in and out, support web browsing to the outside, let DHCP through, and allow UDP for traceroute and Quake (it’s a student’s machine). Everything from the local network is allowed out. Folks hammering on his DNS server with queries for nonexistent hosts are blacklisted, and everything else from the outside world is blocked.
We cover Darren Reed’s IPFilter programs in more detail than ipfw because they are compatible with many other versions of UNIX. The IPFilter package includes ipf for configuring a firewall, ipfstat for printing out the filtering rules that have been installed, and ipnat for implementing NAT. It’s available from
http://coombs.anu.edu.au/~avalon/ip-filter.html
To use IPFilter, make sure that your kernel has been compiled with the clauses
option IPFILTER
option IPFILTER_LOG
The IPFilter package makes a clear distinction between packet filtering chores and NAT, rather than smushing them together as Red Hat’s ipchains does.
The ipf(1) and ipf(5) man pages document the details of IPFilter’s filtering language and give plenty of examples.
ipf reads a file (/etc/ipf.rules, by default) of rules of the form
action in|out [quick] condition ...
where the action can be
• pass to accept the packet
• block to drop the packet
• log to log the packet through syslog, or
• count to tally the packets that match.
The block action can also specify that a TCP reset or a particular ICMP error message should be returned to the sender.
The modifier quick causes an action to be performed as soon as the conditions are fulfilled; it’s the default for count and log. Normally, the rules are applied in turn and no action is taken until all rules have been tried.