freebsd stable - Feb 2014 - dummynet problem in FreeBSD 10.0-STABLE

Hi all,

The following rules do not work anymore and block access to outside:

ipfw add pipe 1 ip from 67.xxx.89.78 to any 80 out via xn0
ipfw add pipe 2 ip from any 80 to 67.xxx.89.78 in via xn0
ipfw pipe 1 config bw 1024Kbit/s queue 128 burst 2M
ipfw pipe 2 config bw 1024Kbit/s queue 128 burst 2M

Using these rules on the server, I can not surf the Internet through the 
server. In FreeBSD 9.x these rules worked.
Doing: links http://www.any_website.com not work

My Firewall rules:
# ipfw show

00100 67191 13584242 allow ip from any to any via lo0
00200     0        0 deny ip from 127.0.0.0/8 to any
00300     0        0 deny ip from any to 127.0.0.0/8
00400     0        0 check-state
00500     0        0 deny ip from 192.168.0.0/16 to any in via xn0
00600     0        0 deny ip from 10.0.0.0/8 to any in via xn0
00700     0        0 deny ip from 172.16.0.0/12 to any in via xn0
00800     0        0 deny ip from 224.0.0.0/4 to any in via xn0
00900     0        0 deny ip from 255.255.255.255 to any in via xn0
01000     0        0 deny tcp from any to any in tcpflags fin,psh,urg 
recv xn0
01100     0        0 deny tcp from any to any in tcpflags 
!syn,!fin,!ack,!psh,!rst,!urg recv xn0
01200     0        0 deny tcp from any to any in tcpflags syn,fin recv xn0
01300     0        0 deny tcp from any to any in tcpflags fin,rst recv xn0
01400     0        0 deny ip from any to any in ipoptions 
ssrr,lsrr,rr,ts recv xn0
01500    78     2496 deny ip from table(99) to any in via xn0
01600     0        0 deny ip from table(1) to any

01700   276    16560 pipe 1 ip from 67.xxx.89.78 to any dst-port 80 out 
via xn0
01800     3      144 pipe 2 ip from any 80 to 67.xxx.89.78 in via xn0

01900     4      276 allow icmp from any to any icmptypes 3,11,12
02000     0        0 allow icmp from me to any icmptypes 0,8 keep-state
02100     1       75 deny icmp from any to any
02200  2226   298340 allow tcp from any to me dst-port 4321 in via xn0 
setup keep-state
02300  1997   768000 allow tcp from any to me dst-port 995 in via xn0 
setup keep-state
02400  1363   519377 allow tcp from any to me dst-port 25 in via xn0 
setup keep-state
02500   733   549931 allow tcp from any to me dst-port 587 in via xn0 
setup keep-state
02600  8952  8756999 allow tcp from any to me dst-port 80 in via xn0 
setup keep-state
02700  2748  2125603 allow tcp from any to me dst-port 443 in via xn0 
setup keep-state
02800     0        0 allow tcp from any to me dst-port 143 in via xn0 
setup keep-state
02900     0        0 allow tcp from any to me dst-port 110 in via xn0 
setup keep-state
03000  1094   360419 allow tcp from any to me dst-port 993 in via xn0 
setup keep-state
03100     0        0 allow tcp from any to me dst-port 21 in via xn0 
setup keep-state
03200     0        0 allow tcp from any to me dst-port 30000-50000 in 
via xn0 setup keep-state
03300  3558  1151840 allow tcp from me to any out setup keep-state
03400  6693   880724 allow ip from me to any out keep-state
65534   170    20283 deny log logamount 100 ip from any to any
65535    36     5424 allow ip from any to any

When I remove the upload rule, navigation back to work:

# ipfw delete 1700

links http://www.any_website.com work again.

# uname -a
FreeBSD mail.xxxxx.xxx.xx 10.0-STABLE FreeBSD 10.0-STABLE #2 r261419: 
Thu Feb  6 16:51:10 BRST 2014 
root at mail.xxxxx.xxx.xx:/usr/obj/usr/src/sys/GONDIM  amd64

It seems that something has changed and that stopped the bandwidth control.

[]'s
Gondim

hi,
do you have the dummynet module loaded ?
what does "ipfw pipe show" say, before and
after the pipe's configuration ?

cheers
luigi



On Thu, Feb 13, 2014 at 9:06 AM, Marcelo Gondim <gondim at
bsdinfo.com.br>wrote:
> Hi all,
>
> The following rules do not work anymore and block access to outside:
>
> ipfw add pipe 1 ip from 67.xxx.89.78 to any 80 out via xn0
> ipfw add pipe 2 ip from any 80 to 67.xxx.89.78 in via xn0
> ipfw pipe 1 config bw 1024Kbit/s queue 128 burst 2M
> ipfw pipe 2 config bw 1024Kbit/s queue 128 burst 2M
>
> Using these rules on the server, I can not surf the Internet through the
> server. In FreeBSD 9.x these rules worked.
> Doing: links http://www.any_website.com not work
>
> My Firewall rules:
> # ipfw show
>
> 00100 67191 13584242 allow ip from any to any via lo0
> 00200     0        0 deny ip from 127.0.0.0/8 to any
> 00300     0        0 deny ip from any to 127.0.0.0/8
> 00400     0        0 check-state
> 00500     0        0 deny ip from 192.168.0.0/16 to any in via xn0
> 00600     0        0 deny ip from 10.0.0.0/8 to any in via xn0
> 00700     0        0 deny ip from 172.16.0.0/12 to any in via xn0
> 00800     0        0 deny ip from 224.0.0.0/4 to any in via xn0
> 00900     0        0 deny ip from 255.255.255.255 to any in via xn0
> 01000     0        0 deny tcp from any to any in tcpflags fin,psh,urg recv
> xn0
> 01100     0        0 deny tcp from any to any in tcpflags
> !syn,!fin,!ack,!psh,!rst,!urg recv xn0
> 01200     0        0 deny tcp from any to any in tcpflags syn,fin recv xn0
> 01300     0        0 deny tcp from any to any in tcpflags fin,rst recv xn0
> 01400     0        0 deny ip from any to any in ipoptions ssrr,lsrr,rr,ts
> recv xn0
> 01500 78     2496 deny ip from table(99) to any in via xn0
> 01600     0        0 deny ip from table(1) to any
>
> 01700   276    16560 pipe 1 ip from 67.xxx.89.78 to any dst-port 80 out
> via xn0
> 01800     3      144 pipe 2 ip from any 80 to 67.xxx.89.78 in via xn0
>
> 01900     4      276 allow icmp from any to any icmptypes 3,11,12
> 02000     0        0 allow icmp from me to any icmptypes 0,8 keep-state
> 02100     1       75 deny icmp from any to any
> 02200  2226   298340 allow tcp from any to me dst-port 4321 in via xn0
> setup keep-state
> 02300  1997   768000 allow tcp from any to me dst-port 995 in via xn0
> setup keep-state
> 02400  1363   519377 allow tcp from any to me dst-port 25 in via xn0 setup
> keep-state
> 02500   733   549931 allow tcp from any to me dst-port 587 in via xn0
> setup keep-state
> 02600  8952  8756999 allow tcp from any to me dst-port 80 in via xn0 setup
> keep-state
> 02700  2748  2125603 allow tcp from any to me dst-port 443 in via xn0
> setup keep-state
> 02800     0        0 allow tcp from any to me dst-port 143 in via xn0
> setup keep-state
> 02900     0        0 allow tcp from any to me dst-port 110 in via xn0
> setup keep-state
> 03000  1094   360419 allow tcp from any to me dst-port 993 in via xn0
> setup keep-state
> 03100     0        0 allow tcp from any to me dst-port 21 in via xn0 setup
> keep-state
> 03200     0        0 allow tcp from any to me dst-port 30000-50000 in via
> xn0 setup keep-state
> 03300  3558  1151840 allow tcp from me to any out setup keep-state
> 03400  6693   880724 allow ip from me to any out keep-state
> 65534   170    20283 deny log logamount 100 ip from any to any
> 65535    36     5424 allow ip from any to any
>
> When I remove the upload rule, navigation back to work:
>
> # ipfw delete 1700
>
> links http://www.any_website.com work again.
>
> # uname -a
> FreeBSD mail.xxxxx.xxx.xx 10.0-STABLE FreeBSD 10.0-STABLE #2 r261419: Thu
> Feb  6 16:51:10 BRST 2014 root at
mail.xxxxx.xxx.xx:/usr/obj/usr/src/sys/GONDIM
>  amd64
>
> It seems that something has changed and that stopped the bandwidth control.
>
> []'s
> Gondim
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at
freebsd.org"
>


-- 
-----------------------------------------+-------------------------------
 Prof. Luigi RIZZO, rizzo at iet.unipi.it  . Dip. di Ing. dell'Informazione
 http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
 TEL      +39-050-2211611               . via Diotisalvi 2
 Mobile   +39-338-6809875               . 56122 PISA (Italy)
-----------------------------------------+-------------------------------