BSD Shaper

BSD IPFW Shaper

 

 

Пример:

 

FreeBSD IPFW example firewall script to shape traffic for your LAN and WAN network.

#firewall command

fwcmd="/sbin/ipfw"

 

#interfaces

wifi=ath0

wire=fxp0

oif=tun0

vpn=tun1

internal="10.1.1.0/24,192.168.1.0/24,192.168.3.0/24"

 

fw="skipto 1000"

nat_in="skipto 2000"

nat_out="skipto 5000"

cs="skipto 3000"

 

# Force a flushing of the current rules before we reload.

$fwcmd -f flush

 

#Setup incoming and outgoing pipes

$fwcmd pipe 10 config bw 1024Kbit/s

$fwcmd pipe 20 config bw 384Kbit/s

 

################################################################################

# Setup bandwidth shaping queues

# Higher weight, high priorities

################################################################################

 

# High priority queue for tcp ACK

$fwcmd queue 1 config pipe 20 weight 90

 

# High priority queue for DNS

$fwcmd queue 2 config pipe 10 weight 70

$fwcmd queue 3 config pipe 20 weight 70

 

# High priority queue for SSH

$fwcmd queue 4 config pipe 10 weight 69

$fwcmd queue 5 config pipe 20 weight 69

 

# High priority queue for IMAP

$fwcmd queue 6 config pipe 10 weight 68

$fwcmd queue 7 config pipe 20 weight 68

 

# High priority queue for HTTP/FTP

$fwcmd queue 8 config pipe 10 weight 67

$fwcmd queue 9 config pipe 20 weight 67

 

# General low priority queue for home users

$fwcmd queue 10 config pipe 10 weight 50

$fwcmd queue 11 config pipe 20 weight 50

 

# Low priority queue for other users

$fwcmd queue 20 config pipe 10 weight 25

$fwcmd queue 21 config pipe 20 weight 25

 

################################################################################

#No shaping between internal networks

################################################################################

 

$fwcmd add 100 $fw ip from $internal to $internal out via ${wire}

$fwcmd add 110 $fw ip from $internal to $internal in via ${wire}

$fwcmd add 120 $fw ip from $internal to $internal out via ${wifi}

$fwcmd add 130 $fw ip from $internal to $internal in via ${wifi}

 

################################################################################

#Traffic shaping

################################################################################

 

#TCP ACK

$fwcmd add 140 queue 1 ip from any to any out via ${oif} tcpflags ack iplen 52

$fwcmd add 150 $fw ip from any to any out via ${oif} tcpflags ack iplen 52

 

#DNS

$fwcmd add 180 queue 3 ip from any to any 53 out via ${oif}

$fwcmd add 185 queue 2 ip from any 53 to any in via ${oif}

$fwcmd add 190 $fw ip from any to any 53 out via ${oif}

$fwcmd add 195 $fw ip from any to any 53 in via ${oif}

 

#SSH

$fwcmd add 210 queue 5 ip from $internal to any ssh out via ${oif}

$fwcmd add 215 queue 4 ip from any ssh to $internal in via ${oif}

$fwcmd add 220 $fw ip from $internal to any ssh out via ${oif}

$fwcmd add 225 $fw ip from $internal to any ssh in via ${oif}

 

#IMAP

$fwcmd add 250 queue 7 ip from $internal to any imap,imaps out via ${oif}

$fwcmd add 255 queue 6 ip from any imap,imaps to $internal in via ${oif}

$fwcmd add 260 $fw ip from $internal to any imap,imaps out via ${oif}

$fwcmd add 265 $fw ip from $internal to any imap,imaps in via ${oif}

 

#Web and ftp

$fwcmd add 290 queue 9 ip from me to any http,https,ftp out via ${oif}

$fwcmd add 295 queue 8 ip from any http,https,ftp to me in via ${oif}

$fwcmd add 300 $fw ip from me to any http,https,ftp out via ${oif}

$fwcmd add 305 $fw ip from any http,https,ftp to me in via ${oif}

 

#General traffic, assign higher priority for home users

$fwcmd add 310 queue 11 ip from $internal to any out via ${oif}

$fwcmd add 315 queue 10 ip from any to $internal in via ${oif}

$fwcmd add 320 $fw ip from $internal to any out via ${oif}

$fwcmd add 325 $fw ip from any to $internal in via ${oif}

 

#General traffic low priority

$fwcmd add 330 queue 21 ip from $internal to any out via ${oif}

$fwcmd add 335 queue 20 ip from any to $internal in via ${oif}

$fwcmd add 340 $fw ip from $internal to any out via ${oif}

$fwcmd add 345 $fw 20 ip from any to $internal in via ${oif}

 

####################################################################################

#firewall rules

####################################################################################

 

#Allow all localhost connections

$fwcmd add 1000 allow ip from any to any via lo0

 

#Allow openvpn tunnel

$fwcmd add 1130 allow ip from 192.168.2.0/24 to 192.168.2.1 1194 via ${wifi} keep-state

 

#transparent proxy

$fwcmd add 1200 fwd 192.168.1.1,3128 tcp from any to any http keep-state via ${wire}

$fwcmd add 1210 fwd 192.168.3.1,3128 tcp from any to any http keep-state via ${vpn}

$fwcmd add 1220 fwd 192.168.2.1,3128 tcp from 192.168.2.0/24 to any http keep-state via ${wifi}

 

$fwcmd add 1300 allow ip from any to any via ${wire}

$fwcmd add 1400 allow ip from any to any via ${vpn}

 

#####################################################################################

# Divert all packets coming in through the tunnel interface.

#####################################################################################

$fwcmd add 2000 divert natd all from any to any in via ${oif}

 

# Allow all connections that have dynamic rules built for them,

# but deny established connections that don't have a dynamic rule.

# See ipfw(8) for details.

$fwcmd add 3000 check-state

$fwcmd add 3100 deny ip from any to any in via $oif not verrevpath

 

#Allow any traffic from gateway interfaces out

$fwcmd add 3200 $nat_out ip from any to any out via ${oif} keep-state

 

#Wired network

 

#Wireless network

 

# Everyone on the Internet is allowed to connect to the following

# services on the machine. This example specifically allows connections

# to sshd and a webserver.

 

#$fwcmd add allow tcp from 202.187.94.4 to any dst-port 22 in recv any setup keep-state

 

#Allow DNS queries

$fwcmd add 3300 $nat_out udp from any to any 53 keep-state

$fwcmd add 3310 $nat_out udp from any 53 to any keep-state

$fwcmd add 3400 $nat_out udp from any to any 3130 keep-state

$fwcmd add 3410 $nat_out udp from any 3130 to any keep-state

 

# Allow IRC DCC transfers

$fwcmd add 3500 $nat_out tcp from any to any dst-port 54000-54019 recv any setup keep-state

 

# Allow ICMP (for ping and traceroute to work).

$fwcmd add 4000 $nat_out icmp from any to any

 

#Allow IP fragments through

$fwcmd add 4100 pass all from any to any frag

 

# This sends a RESET to all ident packets.

$fwcmd add 4200 reset log tcp from any to me 113 in recv any

 

$fwcmd add 4300 deny log ip from any to any

 

#Outgoing packet traffic

 

$fwcmd add 5000 divert natd ip from any to any out via ${oif}

$fwcmd add 5100 allow ip from any to any