Добрый день.
Есть необходимость в ограничении полосы для большого количества пользователей (600-700 одновременно работающих):
Используется FreeBsd 6.2 + pipes + natd.
IPFW :
#!/bin/sh
#Quietly flush out rules
#/usr/local/etc/list_tmp/ua.sh
/sbin/ipfw -q -f flush
cmd="/sbin/ipfw add"
fwcmd="/sbin/ipfw"
oif="em0" #External
iif="em1" #Internal
skip="skipto 800" $cmd allow ip from any to any via lo0
$cmd deny ip from any to 127.0.0.0/8
$cmd deny log ip from 127.0.0.0/8 to any
$cmd allow tcp from any to any 80 in via $oif
$cmd allow tcp from any to any 22 in via $oif setup keep-state
#FTP
$cmd allow tcp from any to any 20,21 in via $oif
$cmd pass tcp from any to me 50000-59999 setup
#NTP
$cmd allow udp from any to any 123 out via $oif
$cmd allow udp from 83.218.226.67 to any in via $oif
#DNS external
$cmd allow udp from any to any 53 in via $oif
# $cmd allow tcp from any to any out via $oif setup keep-state
# $cmd allow udp from any to any out via $oif keep-state
###SHAPING
$fwcmd table 1 add 192.168.32.0/24
# UA-IX Bandwidth control
$fwcmd pipe 1 config bw 1024Kbit/s queue 8 mask dst-ip 0xffffffff # in
$fwcmd pipe 2 config bw 512Kbit/s queue 8 mask src-ip 0xffffffff # out
# World Bandwidth control
$fwcmd pipe 3 config bw 512Kbit/s queue 8 mask dst-ip 0xffffffff # in
$fwcmd pipe 4 config bw 128Kbit/s queue 8 mask src-ip 0xffffffff # out
## Pipes work
$cmd pipe 2 ip from table\(1\) to table\(0\) keep-state out via ${oif}
$cmd pipe 4 ip from table\(1\) to any keep-state out via ${oif}
$cmd divert natd all from table\(1\) to any out via $oif
$cmd divert natd all from any to me in via $oif
$cmd pipe 1 ip from table\(0\) to table\(1\) in via ${oif}
$cmd pipe 3 ip from any to table\(1\) in via ${oif}
$cmd check-state
$cmd allow all from any to me in via $iif setup keep-state
$cmd allow icmp from any to any icmptypes 3
$cmd allow icmp from any to any icmptypes 4
$cmd allow icmp from any to any icmptypes 11 in
$cmd allow icmp from any to any icmptypes 8
$cmd allow icmp from any to any icmptypes 0 in
##### This section is for exposing services to the internet from the LAN
##### It is placed AFTER the NATD Divert rule, so these services can be
##### diverted in /etc/natd.conf
$cmd allow ip from any to any via em0
# $cmd 65000 deny all from any to any
cat /etc/sysctl.conf
net.inet.ip.fw.one_pass=0
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
net.link.bridge.ipfw=1
net.inet.ip.dummynet.hash_size=2048
net.inet.ip.fw.dyn_buckets=2048
Table 0 - таблица содержащая подсети UA-IX
Table 1 - таблица содержащая внутренние подсети.
Проблема :
При вводе комманды
ipfw show
00100 252 20916 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny log logamount 5 ip from 127.0.0.0/8 to any
00400 0 0 allow tcp from any to any dst-port 80 in via em0
00500 0 0 allow tcp from any to any dst-port 22 in via em0 setup keep-state
00600 0 0 allow tcp from any to any dst-port 20,21 in via em0
00700 0 0 allow tcp from any to me dst-port 50000-59999 setup
00800 1 76 allow udp from any to any dst-port 123 out via em0
00900 0 0 allow udp from 83.218.226.67 to any in via em0
01000 0 0 allow udp from any to any dst-port 53 in via em0
01100 1670784 80197632 pipe 2 ip from table(1) to table(0) out via em0 keep-state
01200 0 0 pipe 4 ip from table(1) to any out via em0 keep-state
01300 0 0 divert 8668 ip from table(1) to any out via em0
01400 17 3333 divert 8668 ip from any to me in via em0
01500 14 1232 pipe 1 ip from table(0) to table(1) in via em0
01600 14 1232 pipe 3 ip from any to table(1) in via em0
01700 0 0 check-state
01800 0 0 allow ip from any to me in via em1 setup keep-state
01900 0 0 allow icmp from any to any icmptypes 3
02000 0 0 allow icmp from any to any icmptypes 4
02100 0 0 allow icmp from any to any icmptypes 11 in
02200 0 0 allow icmp from any to any icmptypes 8
02300 0 0 allow icmp from any to any icmptypes 0 in
02400 20 3519 allow ip from any to any via em0
65535 9215 1877957 allow ip from any to any
Как видно из листинга пакеты попадают в пайп но не проходят наружу.
Как результат - инет у клиентов не работает.
Кроме того как только добавляю в конец правил deny ip from any to any, рубится все :(.
Плюс гляньте пожалуйста на
net.inet.ip.fw.one_pass=0
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
net.link.bridge.ipfw=1
net.inet.ip.dummynet.hash_size=2048
net.inet.ip.fw.dyn_buckets=2048
Их достаточно для нагрузки в 700 активных пользователей ?
Помогите пожалуйста..... пошел третий безсонный день ....
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(??) on 11-Фев-09, 17:17 
