[ previous ] [ next ] [ threads ]
 
 From:  "Arturas Satkovskis" <arsatk at delfi dot lt>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Advanced traffic shaping
 Date:  Mon, 17 May 2004 08:14:51 +0300
Previously - before discovering M0n0wall I have been simply using dummynet
on FreeBSD.
Then I was passing a line 
/sbin/sysctl net.inet.ip.fw.one_pass=0
This allowed packed after matching one rule being passed to the following
ones.
I have not noticed such a possibility in M0n0wall yet. Does anyone know by
chance how to do that in M0n0wall.
Another question - how do you guys test if your rules realy work as they
should on M0n0wall?
With pure FreeBSD and IPFW I have been using "ipfw queue list" or "ipfw
queue show"

Here below is my old dummynet.conf file where I used reinjecting packets.

exif=rl0
if1=rl1
if2=rl2
bw1=508kbit/s
bw2=245kbit/s

bw3=96kbit/s
bw4=20kbit/s

ipfw -f pipe flush

/sbin/sysctl net.inet.ip.fw.one_pass=0

ipfw pipe 1 config bw $bw1 queue 10kbytes
ipfw pipe 2 config bw $bw2 queue 25kbytes

ipfw pipe 3 config bw $bw3 queue 10kbytes mask dst-ip 0xffffffff
ipfw pipe 4 config bw $bw4 queue 25kbytes mask src-ip 0xffffffff

ipfw queue 10 config pipe 1 mask dst-ip 0xffffffff
ipfw queue 20 config pipe 2 mask src-ip 0xffffffff

ipfw add 10 skipto 65000 ip from 192.168.0.0/16 to 192.168.0.0/16

ipfw add 1010 pipe 4 ip from any to any recv $if1 in
ipfw add 1020 pipe 4 ip from any to any recv $if2 in

ipfw add 1030 pipe 3 ip from any to any recv $exif in

ipfw add 1040 queue 20 ip from any to any recv $if1 in
ipfw add 1050 queue 20 ip from any to any recv $if2 in

ipfw add 1060 queue 10 ip from any to any recv $exif in


-----Original Message-----
From: Thomas Hertz [mailto:term at cynisk dot net] 

To: 'Adam Nellemann'
Cc: 
Subject: RE: [m0n0wall] Advanced traffic shaping

> - How do you "reinject" packets? (I assume this can't be done through 
> the webGUI? I further assume that "reinject" means "send through 
> several queues/pipes"?)

Yes, at least that is what I meant. :) I have to admit that I haven't had
the time to research whether this is how things really work though, but I
hope it is. The text "the first rule that matches a packet will be executed"
might be misleading if this is the case.

> - Could you please specify your heigh weight rules (I think I've got 
> the ACKs down, but I'm unsure about DNS?)

I'm currently only running this on the outgoing traffic (since my DSL is
2500/768kbit). But the rules I have is:

- Outgoing TCP packets size 0-80 with ACK flag (to speed up downloading)
- Outgoing ICMP packets (makes the measurements a little more exact)
- Outgoing UDP packets with destination port 53 (for the DNS queries)
- Outgoing UDP packets with source port 53 (to speed up queries to the NATed
dns server)
- Outgoing TCP packets with SYN flag with target port 80 or 443 (to speed up
web browsing)

All these are passed to a Queue with a weight of 9, and the final rule is a
"catch all" which passes the packets to a queue with a weight of 1.

> - I'm currently rejecting (not blocking) incomming SYN packets, is 
> this wrong? (I was told this might improve performance in some
> circumstances?)

I'm currently sending RST (reject) to incoming packets to ports 113 (identd)
and 1080 (socks) since this speeds up connecting to services that check
these (i.e. IRC servers). Other uses might be if you're running a NATed *NIX
webserver to RST incoming ACK flags to destination port 80.

// Thomas Hertz


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch