How to limiting UP/Downloads Per I.P.

dr85

I set Traffic Shaper->Limiter and use this in the Firewall: Rules，when I use this rule, this IP can't aceess Internet. Why?

a1.jpg_thumb

a2.jpg_thumb

a3.jpg_thumb

a4.jpg_thumb

eri--

Check if you have errors in the log.

Reasons of why are:
1- the dummynet/ipfw module is not loaded. Run the command kldstat and check that dummynet/ipfw is in the list
2- the pipe/limiter has not been created. Run the command ipfw pipe show to check that the pipes have been created.

I suspect the first to be the issue since some changes have been done lately in there so please give feedback on this.

dr85

It's not work yet.
when I change the Aliases limit_LAN "ipfw pipe list" not change.

I installed the squid and squidGuard packages.

kldstat

Id Refs Address Size Name
1 5 0xc0400000 a83e00 kernel
2 1 0xc0e84000 6a2c4 acpi.ko
3 1 0xc3379000 e000 ipfw.ko
4 1 0xc33bd000 8000 dummynet.ko

ipfw pipe list

00001: 512.000 Kbit/s 0 ms 50 sl. 1 queues (64 buckets) droptail
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot Source IP/port_ Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
34 ip 192.168.1.5/0 0.0.0.0/0 17 920 0 0 0
00002: 512.000 Kbit/s 0 ms 50 sl. 1 queues (64 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
BKT Prot Source IP/port_ Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
21 ip 0.0.0.0/0 192.168.1.5/0 27379 1760756 11 716 0

a2.png_thumb

eri--

Can you send me your /tmp/rules.debug i cannot seem to reproduce this.

dr85

I has update to "built on Sat Apr 18 12:46:37 EDT 2009"

The "rules.debug" file:

#System aliases

loopback = "{ lo0 }"
WAN = "{ em2 }"
LAN = "{ em0 }"
DMZ = "{ em1 }"

User Aliases

DMZ_Special_IP = "{ 89.202.157.133/32 124.238.254.52/32 124.238.254.53/32 220.165.9.102/32 69.64.6.11/32 }"
DNS_Server = "{ 172.20.211.1 }"
NOd32_Server = "{ 172.20.211.1 }"
OUTDNS = "{ 172.16.0.1 172.16.0.2 }"
SafeWeb = "{ 218.90.160.243 61.132.87.170 172.16.0.170 211.153.23.37 59.151.28.198 222.191.227.8 218.90.160.26 61.160.99.109 }"
Web = "{ 172.20.211.1 }"
YEY = "{ 192.168.0.69/32 192.168.0.70/32 192.168.0.71/32 192.168.0.72/29 192.168.0.80/32 192.168.0.81/32 192.168.0.82/32 }"
block_lan = "{ 192.168.1.200 192.168.0.250 }"
block_wan = "{ 121.14.95.120/32 124.115.1.198/32 219.133.38.246/32 219.133.38.247/32 219.133.38.248/32 219.133.38.249/32 219.133.38.250/32 219.133.41.15/32 219.133.41.168/32 219.133.41.240/32 222.73.78.22/32 222.73.78.24/32 222.73.78.25/32 222.73.78.30/32 222.73.78.31/32 222.73.78.43/32 58.221.29.154/32 58.251.62.79/32 58.251.62.85/32 58.60.11.31/32 58.60.11.34/32 58.60.9.41/32 58.60.9.62/32 58.60.9.63/32 58.60.9.64/32 58.61.166.136/32 60.173.112.123/32 60.191.202.41/32 218.18.95.153/32 121.0.19.170/32 124.237.77.154/32 60.190.24.236/32 61.188.87.137/32 61.153.153.195/32 61.153.153.194/32 61.153.153.100/32 61.153.153.196/32 61.153.153.197/32 61.153.153.198/32 61.153.153.101/32 61.153.153.202/32 202.102.245.46/32 121.11.65.162/32 218.60.13.98/32 61.183.8.19/32 61.155.236.210/32 61.164.121.50/32 116.252.178.11/32 59.175.144.130/32 61.131.203.96/32 61.131.203.91/32 61.131.203.94/32 }"
flv_site = "{ 202.102.81.231/32 202.102.81.232/32 211.151.50.0/24 61.164.47.226/32 61.164.47.166/32 61.147.115.0/24 202.102.7.135/32 222.73.50.12/32 222.73.50.14/32 116.252.179.16/32 124.94.101.145/32 121.205.88.20/32 58.218.179.214/32 59.63.157.25/32 60.191.101.40/32 218.0.4.203/32 58.218.209.183/32 121.9.215.13/32 58.218.204.114/32 58.218.204.113/32 202.102.74.150/32 202.102.74.151/32 202.102.74.152/32 202.102.74.153/32 202.102.74.156/32 202.102.74.249/32 221.238.19.153/32 58.215.110.223/32 58.215.106.190/32 208.65.153.253/32 220.181.61.148/32 220.181.61.149/32 220.181.61.150/32 220.181.61.151/32 }"
limit_IP = "{ 192.168.0.8/29 192.168.0.16/28 192.168.0.32/27 192.168.0.64/26 192.168.0.128/26 192.168.0.192/26 192.168.1.8/29 192.168.1.16/28 192.168.1.32/27 192.168.1.64/28 192.168.1.128/26 192.168.1.192/26 }"
limit_LAN = "{ 192.168.1.5/32 }"
remote = "{ 192.168.1.1 192.168.1.2 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.10 192.168.0.40 192.168.0.50 192.168.1.3 192.168.0.3 192.168.0.111 }"
student = "{ 192.168.1.61/32 192.168.1.62/32 192.168.1.63/32 192.168.1.64/27 192.168.1.96/29 192.168.1.104/30 192.168.1.108/32 192.168.1.11/32 192.168.1.12/30 192.168.1.16/28 192.168.1.32/28 192.168.1.48/29 192.168.1.56/32 192.168.1.57/32 192.168.1.58/32 192.168.0.11/32 192.168.0.12/30 192.168.0.16/28 192.168.0.32/28 192.168.0.48/29 192.168.0.56/30 192.168.0.60/32 }"

set loginterface em2
set loginterface em0
set loginterface em1
set optimization normal
set limit states 50000

set skip on pfsync0

scrub in on $WAN all fragment reassemble
scrub in on $LAN all fragment reassemble
scrub in on $DMZ all fragment reassemble

dnpipe 1 bandwidth 512Kb mask src-ip 0xffffffff

dnpipe 2 bandwidth 512Kb mask dst-ip 0xffffffff

nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules

Subnets to NAT

tonatsubnets = "{ 192.168.0.0/23 172.20.211.0/24 }"
no nat on $WAN to port tftp
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 172.17.1.141/32 port 500
nat on $WAN from $tonatsubnets port 4500 to any port 4500 -> 172.17.1.141/32 port 4500
nat on $WAN from $tonatsubnets port 5060 to any port 5060 -> 172.17.1.141/32 port 5060
nat on $WAN from $tonatsubnets to any -> 172.17.1.141/32 port 1024:65535

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"

NAT Inbound Redirects

rdr on em0 proto udp from any to 192.168.0.1 port { 53 } -> 192.168.0.1
rdr on em0 proto tcp from any to 192.168.0.1 port { 8081 } -> 172.20.211.1
rdr on em2 proto tcp from any to 172.17.1.141 port { 1194 } -> 192.168.0.1
rdr on em1 proto udp from any to 172.20.211.254 port { 53 } -> 192.168.0.1

Setup Squid proxy redirect

rdr on em0 proto tcp from any to !(em0) port 80 -> 127.0.0.1 port 80

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "firewallrules"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

Block all IPv6

block in quick inet6 all
block out quick inet6 all

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for em2
antispoof for em0

allow access to DHCP server on LAN

anchor "dhcpserverLAN"
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for em1
anchor "spoofing"

loopback

anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

anchor "anti-lockout"
pass in quick on em0 from any to (em0) keep state label "anti-lockout rule"

NAT Reflection rules

package manager late specific hook

anchor "packagelate"

User-defined aliases follow

table <safeweb>{ 218.90.160.243 61.132.87.170 172.16.0.170 211.153.23.37 59.151.28.198 222.191.227.8 218.90.160.26 61.160.99.109 }
table <remote>{ 192.168.1.1 192.168.1.2 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.10 192.168.0.40 192.168.0.50 192.168.1.3 192.168.0.3 192.168.0.111 }
table <outdns>{ 172.16.0.1 172.16.0.2 }
table <dns_server>{ 172.20.211.1 }
table <web>{ 172.20.211.1 }
table <limit_lan>{ 192.168.1.5/32 }
table <block_wan>{ 121.14.95.120/32 124.115.1.198/32 219.133.38.246/32 219.133.38.247/32 219.133.38.248/32 219.133.38.249/32 219.133.38.250/32 219.133.41.15/32 219.133.41.168/32 219.133.41.240/32 222.73.78.22/32 222.73.78.24/32 222.73.78.25/32 222.73.78.30/32 222.73.78.31/32 222.73.78.43/32 58.221.29.154/32 58.251.62.79/32 58.251.62.85/32 58.60.11.31/32 58.60.11.34/32 58.60.9.41/32 58.60.9.62/32 58.60.9.63/32 58.60.9.64/32 58.61.166.136/32 60.173.112.123/32 60.191.202.41/32 218.18.95.153/32 121.0.19.170/32 124.237.77.154/32 60.190.24.236/32 61.188.87.137/32 61.153.153.195/32 61.153.153.194/32 61.153.153.100/32 61.153.153.196/32 61.153.153.197/32 61.153.153.198/32 61.153.153.101/32 61.153.153.202/32 202.102.245.46/32 121.11.65.162/32 218.60.13.98/32 61.183.8.19/32 61.155.236.210/32 61.164.121.50/32 116.252.178.11/32 59.175.144.130/32 61.131.203.96/32 61.131.203.91/32 61.131.203.94/32 }
table <flv_site>{ 202.102.81.231/32 202.102.81.232/32 211.151.50.0/24 61.164.47.226/32 61.164.47.166/32 61.147.115.0/24 202.102.7.135/32 222.73.50.12/32 222.73.50.14/32 116.252.179.16/32 124.94.101.145/32 121.205.88.20/32 58.218.179.214/32 59.63.157.25/32 60.191.101.40/32 218.0.4.203/32 58.218.209.183/32 121.9.215.13/32 58.218.204.114/32 58.218.204.113/32 202.102.74.150/32 202.102.74.151/32 202.102.74.152/32 202.102.74.153/32 202.102.74.156/32 202.102.74.249/32 221.238.19.153/32 58.215.110.223/32 58.215.106.190/32 208.65.153.253/32 220.181.61.148/32 220.181.61.149/32 220.181.61.150/32 220.181.61.151/32 }
table <block_lan>{ 192.168.1.200 192.168.0.250 }
table <nod32_server>{ 172.20.211.1 }
table <yey>{ 192.168.0.69/32 192.168.0.70/32 192.168.0.71/32 192.168.0.72/29 192.168.0.80/32 192.168.0.81/32 192.168.0.82/32 }

User-defined rules follow

pass in log quick on $WAN reply-to ( em2 172.17.1.142 ) from <safeweb>to 192.168.0.0/23 keep state label "USER_RULE: SafeWeb in"
pass in log quick on $WAN reply-to ( em2 172.17.1.142 ) from any to <remote>keep state label "USER_RULE: any2 remote"
pass in log quick on $WAN reply-to ( em2 172.17.1.142 ) proto udp from <outdns>to <dns_server>port = 53 keep state label "USER_RULE: OUT DNS 2 DNS Server"
pass in log quick on $WAN reply-to ( em2 172.17.1.142 ) proto tcp from any to <web>port = 80 keep state label "USER_RULE: Web"
pass in log quick on $WAN reply-to ( em2 172.17.1.142 ) proto tcp from any to { 192.168.0.1 } port = 1194 keep state label "USER_RULE: NAT openvpn "
block in log quick on $WAN reply-to ( em2 172.17.1.142 ) from any to any label "USER_RULE: block wan 2 any"
pass in log quick on $DMZ from any to any keep state label "USER_RULE: DMZ-> any"
pass in log quick on $LAN from <limit_lan>to any keep state dnpipe ( 1, 2) label "USER_RULE: limit_LAN"
pass in log quick on $LAN from <remote>to any keep state label "USER_RULE: remote 2 any"
block in log quick on $LAN from any to <block_wan>label "USER_RULE: LAN 2 block Web"
block in log quick on $LAN from any to <flv_site>label "USER_RULE: LAN 2 block flv Web"
block in log quick on $LAN from <block_lan>to any label "USER_RULE: block_lan 2 any"
pass in log quick on $LAN from 192.168.0.0/23 to <safeweb>keep state label "USER_RULE: LAN 2 Safe Web"
pass in log quick on $LAN proto tcp from 192.168.0.0/23 to any port = 80 keep state label "USER_RULE: HTTP"
pass in log quick on $LAN proto tcp from 192.168.0.0/23 to <web>port = 81 keep state label "USER_RULE: DMZ OA"
pass in log quick on $LAN proto tcp from 192.168.0.0/23 to any port = 443 keep state label "USER_RULE: HTTPS"
pass in log quick on $LAN proto tcp from 192.168.0.0/23 to <nod32_server>port = 8081 keep state label "USER_RULE: NOd32 Server"
pass in log quick on $LAN proto tcp from <yey>to { 172.20.179.1 } port = 8080 keep state label "USER_RULE: yey OA"
block in quick on $LAN from any to any label "USER_RULE: block LAN 2 any"

VPN Rules

Setup squid pass rules for proxy

pass in quick on em0 proto tcp from any to !(em0) port 80 flags S/SA keep state
pass in quick on em0 proto tcp from any to !(em0) port 3128 flags S/SA keep state

anchor "limitingesr"

IMSpector

anchor "imspector"

uPnPd

anchor "miniupnpd"</yey></nod32_server></web></safeweb></block_lan></flv_site></block_wan></remote></limit_lan></web></dns_server></outdns></remote></safeweb></yey></nod32_server></block_lan></flv_site></block_wan></limit_lan></web></dns_server></outdns></remote></safeweb></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout>