How to limiting UP/Downloads Per I.P.



  • I set Traffic Shaper->Limiter and use this in the Firewall: Rules,when I use this rule, this IP can't aceess Internet. Why?









  • Check if  you have errors in the log.

    Reasons of why are:
    1- the dummynet/ipfw module is not loaded. Run the command kldstat and check that dummynet/ipfw is in the list
    2- the pipe/limiter has not been created. Run the command ipfw pipe show to check that the pipes have been created.

    I suspect the first to be the issue since some changes have been done lately in there so please give feedback on this.



  • It's not work yet.
    when I change the Aliases limit_LAN "ipfw pipe list" not change.

    I installed the squid and squidGuard packages.

    kldstat

    Id Refs Address    Size     Name
    1    5 0xc0400000 a83e00   kernel
    2    1 0xc0e84000 6a2c4    acpi.ko
    3    1 0xc3379000 e000     ipfw.ko
    4    1 0xc33bd000 8000     dummynet.ko

    ipfw pipe list

    00001: 512.000 Kbit/s    0 ms   50 sl. 1 queues (64 buckets) droptail
        mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot Source IP/port_ Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
    34 ip       192.168.1.5/0             0.0.0.0/0       17      920  0    0   0
    00002: 512.000 Kbit/s    0 ms   50 sl. 1 queues (64 buckets) droptail
        mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
    BKT Prot Source IP/port_ Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
    21 ip           0.0.0.0/0         192.168.1.5/0     27379  1760756 11  716   0




  • Can you send me your /tmp/rules.debug i cannot seem to reproduce this.



  • I has update to "built on Sat Apr 18 12:46:37 EDT 2009"

    The "rules.debug" file:

    #System aliases

    loopback = "{ lo0 }"
    WAN = "{ em2 }"
    LAN = "{ em0 }"
    DMZ = "{ em1 }"

    User Aliases

    DMZ_Special_IP = "{ 89.202.157.133/32 124.238.254.52/32 124.238.254.53/32 220.165.9.102/32 69.64.6.11/32 }"
    DNS_Server = "{ 172.20.211.1 }"
    NOd32_Server = "{ 172.20.211.1 }"
    OUTDNS = "{ 172.16.0.1 172.16.0.2 }"
    SafeWeb = "{ 218.90.160.243 61.132.87.170 172.16.0.170 211.153.23.37 59.151.28.198 222.191.227.8 218.90.160.26 61.160.99.109 }"
    Web = "{ 172.20.211.1 }"
    YEY = "{ 192.168.0.69/32 192.168.0.70/32 192.168.0.71/32 192.168.0.72/29 192.168.0.80/32 192.168.0.81/32 192.168.0.82/32 }"
    block_lan = "{ 192.168.1.200 192.168.0.250 }"
    block_wan = "{ 121.14.95.120/32 124.115.1.198/32 219.133.38.246/32 219.133.38.247/32 219.133.38.248/32 219.133.38.249/32 219.133.38.250/32 219.133.41.15/32 219.133.41.168/32 219.133.41.240/32 222.73.78.22/32 222.73.78.24/32 222.73.78.25/32 222.73.78.30/32 222.73.78.31/32 222.73.78.43/32 58.221.29.154/32 58.251.62.79/32 58.251.62.85/32 58.60.11.31/32 58.60.11.34/32 58.60.9.41/32 58.60.9.62/32 58.60.9.63/32 58.60.9.64/32 58.61.166.136/32 60.173.112.123/32 60.191.202.41/32 218.18.95.153/32 121.0.19.170/32 124.237.77.154/32 60.190.24.236/32 61.188.87.137/32 61.153.153.195/32 61.153.153.194/32 61.153.153.100/32 61.153.153.196/32 61.153.153.197/32 61.153.153.198/32 61.153.153.101/32 61.153.153.202/32 202.102.245.46/32 121.11.65.162/32 218.60.13.98/32 61.183.8.19/32 61.155.236.210/32 61.164.121.50/32 116.252.178.11/32 59.175.144.130/32 61.131.203.96/32 61.131.203.91/32 61.131.203.94/32 }"
    flv_site = "{ 202.102.81.231/32 202.102.81.232/32 211.151.50.0/24 61.164.47.226/32 61.164.47.166/32 61.147.115.0/24 202.102.7.135/32 222.73.50.12/32 222.73.50.14/32 116.252.179.16/32 124.94.101.145/32 121.205.88.20/32 58.218.179.214/32 59.63.157.25/32 60.191.101.40/32 218.0.4.203/32 58.218.209.183/32 121.9.215.13/32 58.218.204.114/32 58.218.204.113/32 202.102.74.150/32 202.102.74.151/32 202.102.74.152/32 202.102.74.153/32 202.102.74.156/32 202.102.74.249/32 221.238.19.153/32 58.215.110.223/32 58.215.106.190/32 208.65.153.253/32 220.181.61.148/32 220.181.61.149/32 220.181.61.150/32 220.181.61.151/32 }"
    limit_IP = "{ 192.168.0.8/29 192.168.0.16/28 192.168.0.32/27 192.168.0.64/26 192.168.0.128/26 192.168.0.192/26 192.168.1.8/29 192.168.1.16/28 192.168.1.32/27 192.168.1.64/28 192.168.1.128/26 192.168.1.192/26 }"
    limit_LAN = "{ 192.168.1.5/32 }"
    remote = "{ 192.168.1.1 192.168.1.2 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.10 192.168.0.40 192.168.0.50 192.168.1.3 192.168.0.3 192.168.0.111 }"
    student = "{ 192.168.1.61/32 192.168.1.62/32 192.168.1.63/32 192.168.1.64/27 192.168.1.96/29 192.168.1.104/30 192.168.1.108/32 192.168.1.11/32 192.168.1.12/30 192.168.1.16/28 192.168.1.32/28 192.168.1.48/29 192.168.1.56/32 192.168.1.57/32 192.168.1.58/32 192.168.0.11/32 192.168.0.12/30 192.168.0.16/28 192.168.0.32/28 192.168.0.48/29 192.168.0.56/30 192.168.0.60/32 }"

    set loginterface em2
    set loginterface em0
    set loginterface em1
    set optimization normal
    set limit states 50000

    set skip on pfsync0

    scrub in on $WAN all    fragment reassemble
    scrub in on $LAN all    fragment reassemble
    scrub in on $DMZ all    fragment reassemble

    dnpipe 1 bandwidth 512Kb mask src-ip 0xffffffff

    dnpipe 2 bandwidth 512Kb mask dst-ip 0xffffffff

    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    Outbound NAT rules

    Subnets to NAT

    tonatsubnets = "{ 192.168.0.0/23 172.20.211.0/24  }"
    no nat on $WAN to port tftp
    nat on $WAN from $tonatsubnets port 500 to any port 500 -> 172.17.1.141/32 port 500
    nat on $WAN from $tonatsubnets port 4500 to any port 4500 -> 172.17.1.141/32 port 4500
    nat on $WAN from $tonatsubnets port 5060 to any port 5060 -> 172.17.1.141/32 port 5060
    nat on $WAN from $tonatsubnets to any -> 172.17.1.141/32 port 1024:65535

    #SSH Lockout Table
    table <sshlockout>persist

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"

    NAT Inbound Redirects

    rdr on em0 proto udp from any to 192.168.0.1 port { 53 } -> 192.168.0.1
    rdr on em0 proto tcp from any to 192.168.0.1 port { 8081 } -> 172.20.211.1
    rdr on em2 proto tcp from any to 172.17.1.141 port { 1194 } -> 192.168.0.1
    rdr on em1 proto udp from any to 172.20.211.254 port { 53 } -> 192.168.0.1

    Setup Squid proxy redirect

    rdr on em0 proto tcp from any to !(em0) port 80 -> 127.0.0.1 port 80

    IMSpector rdr anchor

    rdr-anchor "imspector"

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    anchor "firewallrules"
    #–-------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    Block all IPv6

    block in quick inet6 all
    block out quick inet6 all

    snort2c

    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    package manager early specific hook

    anchor "packageearly"

    carp

    anchor "carp"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
    antispoof for em2
    antispoof for em0

    allow access to DHCP server on LAN

    anchor "dhcpserverLAN"
    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
    antispoof for em1
    anchor "spoofing"

    loopback

    anchor "loopback"
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    anchor "firewallout"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    anchor "anti-lockout"
    pass in quick on em0 from any to (em0) keep state label "anti-lockout rule"

    NAT Reflection rules

    package manager late specific hook

    anchor "packagelate"

    User-defined aliases follow

    table <safeweb>{  218.90.160.243 61.132.87.170 172.16.0.170 211.153.23.37 59.151.28.198 222.191.227.8 218.90.160.26 61.160.99.109 }
    table <remote>{  192.168.1.1 192.168.1.2 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.10 192.168.0.40 192.168.0.50 192.168.1.3 192.168.0.3 192.168.0.111 }
    table <outdns>{  172.16.0.1 172.16.0.2 }
    table <dns_server>{  172.20.211.1 }
    table <web>{  172.20.211.1 }
    table <limit_lan>{  192.168.1.5/32 }
    table <block_wan>{  121.14.95.120/32 124.115.1.198/32 219.133.38.246/32 219.133.38.247/32 219.133.38.248/32 219.133.38.249/32 219.133.38.250/32 219.133.41.15/32 219.133.41.168/32 219.133.41.240/32 222.73.78.22/32 222.73.78.24/32 222.73.78.25/32 222.73.78.30/32 222.73.78.31/32 222.73.78.43/32 58.221.29.154/32 58.251.62.79/32 58.251.62.85/32 58.60.11.31/32 58.60.11.34/32 58.60.9.41/32 58.60.9.62/32 58.60.9.63/32 58.60.9.64/32 58.61.166.136/32 60.173.112.123/32 60.191.202.41/32 218.18.95.153/32 121.0.19.170/32 124.237.77.154/32 60.190.24.236/32 61.188.87.137/32 61.153.153.195/32 61.153.153.194/32 61.153.153.100/32 61.153.153.196/32 61.153.153.197/32 61.153.153.198/32 61.153.153.101/32 61.153.153.202/32 202.102.245.46/32 121.11.65.162/32 218.60.13.98/32 61.183.8.19/32 61.155.236.210/32 61.164.121.50/32 116.252.178.11/32 59.175.144.130/32 61.131.203.96/32 61.131.203.91/32 61.131.203.94/32 }
    table <flv_site>{  202.102.81.231/32 202.102.81.232/32 211.151.50.0/24 61.164.47.226/32 61.164.47.166/32 61.147.115.0/24 202.102.7.135/32 222.73.50.12/32 222.73.50.14/32 116.252.179.16/32 124.94.101.145/32 121.205.88.20/32 58.218.179.214/32 59.63.157.25/32 60.191.101.40/32 218.0.4.203/32 58.218.209.183/32 121.9.215.13/32 58.218.204.114/32 58.218.204.113/32 202.102.74.150/32 202.102.74.151/32 202.102.74.152/32 202.102.74.153/32 202.102.74.156/32 202.102.74.249/32 221.238.19.153/32 58.215.110.223/32 58.215.106.190/32 208.65.153.253/32 220.181.61.148/32 220.181.61.149/32 220.181.61.150/32 220.181.61.151/32 }
    table <block_lan>{  192.168.1.200 192.168.0.250 }
    table <nod32_server>{  172.20.211.1 }
    table <yey>{  192.168.0.69/32 192.168.0.70/32 192.168.0.71/32 192.168.0.72/29 192.168.0.80/32 192.168.0.81/32 192.168.0.82/32 }

    User-defined rules follow

    pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  from <safeweb>to 192.168.0.0/23 keep state  label "USER_RULE: SafeWeb in"
    pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  from any to <remote>keep state  label "USER_RULE: any2 remote"
    pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  proto udp  from <outdns>to <dns_server>port = 53 keep state  label "USER_RULE: OUT DNS 2 DNS Server"
    pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  proto tcp  from any to <web>port = 80 keep state  label "USER_RULE: Web"
    pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  proto tcp  from any to {  192.168.0.1 } port = 1194 keep state  label "USER_RULE: NAT openvpn "
    block  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  from any to any  label "USER_RULE: block wan  2 any"
    pass  in log  quick  on $DMZ  from any to any keep state  label "USER_RULE: DMZ-> any"
    pass  in log  quick  on $LAN  from <limit_lan>to any keep state  dnpipe ( 1, 2)  label "USER_RULE: limit_LAN"
    pass  in log  quick  on $LAN  from <remote>to any keep state  label "USER_RULE: remote 2 any"
    block  in log  quick  on $LAN  from any to <block_wan>label "USER_RULE: LAN 2 block Web"
    block  in log  quick  on $LAN  from any to <flv_site>label "USER_RULE: LAN 2 block flv Web"
    block  in log  quick  on $LAN  from <block_lan>to any  label "USER_RULE: block_lan 2 any"
    pass  in log  quick  on $LAN  from 192.168.0.0/23 to <safeweb>keep state  label "USER_RULE: LAN 2 Safe Web"
    pass  in log  quick  on $LAN  proto tcp  from 192.168.0.0/23 to any port = 80 keep state  label "USER_RULE: HTTP"
    pass  in log  quick  on $LAN  proto tcp  from 192.168.0.0/23 to <web>port = 81 keep state  label "USER_RULE: DMZ OA"
    pass  in log  quick  on $LAN  proto tcp  from 192.168.0.0/23 to any port = 443 keep state  label "USER_RULE: HTTPS"
    pass  in log  quick  on $LAN  proto tcp  from 192.168.0.0/23 to <nod32_server>port = 8081 keep state  label "USER_RULE: NOd32 Server"
    pass  in log  quick  on $LAN  proto tcp  from <yey>to {  172.20.179.1 } port = 8080 keep state  label "USER_RULE: yey OA"
    block  in  quick  on $LAN  from any to any  label "USER_RULE: block LAN 2 any"

    VPN Rules

    Setup squid pass rules for proxy

    pass in quick on em0 proto tcp from any to !(em0) port 80 flags S/SA keep state
    pass in quick on em0 proto tcp from any to !(em0) port 3128 flags S/SA keep state

    anchor "limitingesr"

    IMSpector

    anchor "imspector"

    uPnPd

    anchor "miniupnpd"</yey></nod32_server></web></safeweb></block_lan></flv_site></block_wan></remote></limit_lan></web></dns_server></outdns></remote></safeweb></yey></nod32_server></block_lan></flv_site></block_wan></limit_lan></web></dns_server></outdns></remote></safeweb></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout>


Log in to reply