FreeBSD ipfw Traffic Shaping Firewall Script

by on June 11, 2007 · 4 comments

  1. # Based upon Khairil Yusof rules
  2. FreeBSD IPFW example firewall script to shape traffic for your LAN and WAN network.
  3. #firewall command
  4. fwcmd="/sbin/ipfw"
  5.  
  6. #interfaces
  7. wifi=ath0
  8. wire=fxp0
  9. oif=tun0
  10. vpn=tun1
  11. internal="10.1.1.0/24,192.168.1.0/24,192.168.3.0/24"
  12.  
  13. fw="skipto 1000"
  14. nat_in="skipto 2000"
  15. nat_out="skipto 5000"
  16. cs="skipto 3000"
  17.  
  18. # Force a flushing of the current rules before we reload.
  19. $fwcmd -f flush
  20.  
  21. #Setup incoming and outgoing pipes
  22. $fwcmd pipe 10 config bw 1024Kbit/s
  23. $fwcmd pipe 20 config bw 384Kbit/s
  24.  
  25. ################################################################################
  26. # Setup bandwidth shaping queues
  27. # Higher weight, high priorities
  28. ################################################################################
  29.  
  30. # High priority queue for tcp ACK
  31. $fwcmd queue 1 config pipe 20 weight 90
  32.  
  33. # High priority queue for DNS
  34. $fwcmd queue 2 config pipe 10 weight 70
  35. $fwcmd queue 3 config pipe 20 weight 70
  36.  
  37. # High priority queue for SSH
  38. $fwcmd queue 4 config pipe 10 weight 69
  39. $fwcmd queue 5 config pipe 20 weight 69
  40.  
  41. # High priority queue for IMAP
  42. $fwcmd queue 6 config pipe 10 weight 68
  43. $fwcmd queue 7 config pipe 20 weight 68
  44.  
  45. # High priority queue for HTTP/FTP
  46. $fwcmd queue 8 config pipe 10 weight 67
  47. $fwcmd queue 9 config pipe 20 weight 67
  48.  
  49. # General low priority queue for home users
  50. $fwcmd queue 10 config pipe 10 weight 50
  51. $fwcmd queue 11 config pipe 20 weight 50
  52.  
  53. # Low priority queue for other users
  54. $fwcmd queue 20 config pipe 10 weight 25
  55. $fwcmd queue 21 config pipe 20 weight 25
  56.  
  57. ################################################################################
  58. #No shaping between internal networks
  59. ################################################################################
  60.  
  61. $fwcmd add 100 $fw ip from $internal to $internal out via ${wire}
  62. $fwcmd add 110 $fw ip from $internal to $internal in via ${wire}
  63. $fwcmd add 120 $fw ip from $internal to $internal out via ${wifi}
  64. $fwcmd add 130 $fw ip from $internal to $internal in via ${wifi}
  65.  
  66. ################################################################################
  67. #Traffic shaping
  68. ################################################################################
  69.  
  70. #TCP ACK
  71. $fwcmd add 140 queue 1 ip from any to any out via ${oif} tcpflags ack iplen 52
  72. $fwcmd add 150 $fw ip from any to any out via ${oif} tcpflags ack iplen 52
  73.  
  74. #DNS
  75. $fwcmd add 180 queue 3 ip from any to any 53 out via ${oif}
  76. $fwcmd add 185 queue 2 ip from any 53 to any in via ${oif}
  77. $fwcmd add 190 $fw ip from any to any 53 out via ${oif}
  78. $fwcmd add 195 $fw ip from any to any 53 in via ${oif}
  79.  
  80. #SSH
  81. $fwcmd add 210 queue 5 ip from $internal to any ssh out via ${oif}
  82. $fwcmd add 215 queue 4 ip from any ssh to $internal in via ${oif}
  83. $fwcmd add 220 $fw ip from $internal to any ssh out via ${oif}
  84. $fwcmd add 225 $fw ip from $internal to any ssh in via ${oif}
  85.  
  86. #IMAP
  87. $fwcmd add 250 queue 7 ip from $internal to any imap,imaps out via ${oif}
  88. $fwcmd add 255 queue 6 ip from any imap,imaps to $internal in via ${oif}
  89. $fwcmd add 260 $fw ip from $internal to any imap,imaps out via ${oif}
  90. $fwcmd add 265 $fw ip from $internal to any imap,imaps in via ${oif}
  91.  
  92. #Web and ftp
  93. $fwcmd add 290 queue 9 ip from me to any http,https,ftp out via ${oif}
  94. $fwcmd add 295 queue 8 ip from any http,https,ftp to me in via ${oif}
  95. $fwcmd add 300 $fw ip from me to any http,https,ftp out via ${oif}
  96. $fwcmd add 305 $fw ip from any http,https,ftp to me in via ${oif}
  97.  
  98. #General traffic, assign higher priority for home users
  99. $fwcmd add 310 queue 11 ip from $internal to any out via ${oif}
  100. $fwcmd add 315 queue 10 ip from any to $internal in via ${oif}
  101. $fwcmd add 320 $fw ip from $internal to any out via ${oif}
  102. $fwcmd add 325 $fw ip from any to $internal in via ${oif}
  103.  
  104. #General traffic low priority
  105. $fwcmd add 330 queue 21 ip from $internal to any out via ${oif}
  106. $fwcmd add 335 queue 20 ip from any to $internal in via ${oif}
  107. $fwcmd add 340 $fw ip from $internal to any out via ${oif}
  108. $fwcmd add 345 $fw 20 ip from any to $internal in via ${oif}
  109.  
  110. #######################################################################################
  111. #firewall rules
  112. #######################################################################################
  113.  
  114. #Allow all localhost connections
  115. $fwcmd add 1000 allow ip from any to any via lo0
  116.  
  117. #Allow openvpn tunnel
  118. $fwcmd add 1130 allow ip from 192.168.2.0/24 to 192.168.2.1 1194 via ${wifi} keep-state
  119.  
  120. #transparent proxy
  121. $fwcmd add 1200 fwd 192.168.1.1,3128 tcp from any to any http keep-state via ${wire}
  122. $fwcmd add 1210 fwd 192.168.3.1,3128 tcp from any to any http keep-state via ${vpn}
  123. $fwcmd add 1220 fwd 192.168.2.1,3128 tcp from 192.168.2.0/24 to any http keep-state via ${wifi}
  124.  
  125. $fwcmd add 1300 allow ip from any to any via ${wire}
  126. $fwcmd add 1400 allow ip from any to any via ${vpn}
  127.  
  128. ########################################################################################
  129. # Divert all packets coming in through the tunnel interface.
  130. ########################################################################################
  131. $fwcmd add 2000 divert natd all from any to any in via ${oif}
  132.  
  133. # Allow all connections that have dynamic rules built for them,
  134. # but deny established connections that do not have a dynamic rule.
  135. # See ipfw(8) for details.
  136. $fwcmd add 3000 check-state
  137. $fwcmd add 3100 deny ip from any to any in via $oif not verrevpath
  138.  
  139. #Allow any traffic from gateway interfaces out
  140. $fwcmd add 3200 $nat_out ip from any to any out via ${oif} keep-state
  141.  
  142. #Wired network
  143.  
  144. #Wireless network
  145.  
  146. # Everyone on the Internet is allowed to connect to the following
  147. # services on the machine. This example specifically allows connections
  148. # to sshd and a webserver.
  149.  
  150. #$fwcmd add allow tcp from 202.187.94.4 to any dst-port 22 in recv any setup keep-state
  151.  
  152. #Allow DNS queries
  153. $fwcmd add 3300 $nat_out udp from any to any 53 keep-state
  154. $fwcmd add 3310 $nat_out udp from any 53 to any keep-state
  155. $fwcmd add 3400 $nat_out udp from any to any 3130 keep-state
  156. $fwcmd add 3410 $nat_out udp from any 3130 to any keep-state
  157.  
  158. # Allow IRC DCC transfers
  159. $fwcmd add 3500 $nat_out tcp from any to any dst-port 54000-54019 recv any setup keep-state
  160.  
  161. # Allow ICMP (for ping and traceroute to work).
  162. $fwcmd add 4000 $nat_out icmp from any to any
  163.  
  164. #Allow IP fragments through
  165. $fwcmd add 4100 pass all from any to any frag
  166.  
  167.  
  168. # This sends a RESET to all ident packets.
  169. $fwcmd add 4200 reset log tcp from any to me 113 in recv any
  170.  
  171. $fwcmd add 4300 deny log ip from any to any
  172.  
  173. #Outgoing packet traffic
  174.  
  175. $fwcmd add 5000 divert natd ip from any to any out via ${oif}
  176. $fwcmd add 5100 allow ip from any to any


4000+ howtos and counting! If you enjoyed this article, join 45000+ others and get free email updates!

Click here to subscribe via email.

  • Francisco

    I could not see what will make packets enter on rule 310 or 330 ?
    Both seems to be equal ??

    #General traffic, assign higher priority for home users
    $fwcmd add 310 queue 11 ip from $internal to any out via ${oif}

    #General traffic low priority
    $fwcmd add 330 queue 21 ip from $internal to any out via ${oif}

    And… could you provide the “rc.conf” file for this example too ?

    Thanks
    Francisco

  • ace

    Thanks !

  • Nick Hibma

    Could someone change “don’t” to “do not” so the syntax highlighting isn’t confused?

    Thanks for the nice example for the queueing, and high to separate statements into functional blocks.

  • nixcraft

    Heh.. done. Hope this helps. Appreciate your post!

Next Script: