setting packet firewall on freebsd

ref: http://blog.stevedoria.net/20050906/ingress-policing-with-linux-and-tc
ref: https://calomel.org/pf_config.html (

Ingress Policing with Linux and tc

I am simply amazed at the things GNU/Linux can now do, especially with regard to IP networking. I use pf under OpenBSD, a Unix-like operating system that is not Linux, to keep untrusted wireless access traffic from my trusted wired network at home. Lately, I have been working with Linux operating systems in a corporate environment and needed packet policing. It feels good to be able to get similar features to a Cisco device without the need to make a 4500USD purchase.
An ingress policy can decrease the amount of incoming traffic, but it depends on well-behaved TCP/IP stacks and a transport protocol that supports throttling on the sending hosts. The following commands install an ingress queue to eth0 and applies a filter that applies a policy rate of 512kbit.

tc qdisc add dev eth0 handle ffff: ingress
tc filter add dev eth0 parent ffff: protocol ip prio 50 \
   u32 match ip src 0.0.0.0/0 police rate 256kbit \
   burst 10k drop flowid :1

tc qdisc add dev eth0 root tbf \
   rate 256kbit latency 25ms burst 10k

i'm not sure about this

#
### Calomel.org pf.conf
#
################ FreeBSD pf.conf ##########################
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match.
################ Macros ###################################

### Interfaces ###
 ExtIf ="mxge0"
 IntIf ="mxge1"

### Hosts ###
 Windows ="10.10.10.3"
 Xbox360 ="10.10.10.4"
 phone   ="10.10.10.5"
 WorkSsh ="123.123.123.123"

### Queues, States and Types ###
 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 SynState ="flags S/SA synproxy state"
 TcpState ="flags S/SA modulate state"
 UdpState ="keep state"

### Stateful Tracking Options (STO) ###
 OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
 SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
 SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload  flush global)"
 WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload  flush global)"

### Tables ###
 table  counters
 table  counters file "/somedir/block_permanent"
 table 

################ Options ######################################################
### Misc Options
 set skip on lo
 set debug urgent
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options
 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

################ Queueing ####################################################
# no quality of service (QOS) since it is not supported by the myricom 10gig
# mxge0 interface drivers and we would lose as much as 10% bandwidth anyways.
# for more information: https://calomel.org/pf_hfsc.html

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize=Throughput
scrub out log on $ExtIf      all random-id set-tos 0x1c fragment reassemble
scrub     log on $ExtIf inet all reassemble tcp fragment reassemble

################ Translation #################################################
### NAT and Redirection rules are first match

# NAT with static NAT for the XBOX360
 nat on $ExtIf from $Xbox360       to any -> ($ExtIf) static-port
 nat on $ExtIf from $IntIf:network to any -> ($ExtIf)

# Apache or Nginx (external users to an internal server?)
 rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port https -> 10.10.10.100
 rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port http  -> 10.10.10.100

# OpenSMTPD or Postfix with Spamd 
 rdr on $ExtIf inet proto tcp from ! to ($ExtIf) port smtp -> 10.10.10.200 port spamd
 rdr on $ExtIf inet proto tcp from   to ($ExtIf) port smtp -> 10.10.10.250

# Openssh 
 rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh -> lo0
 rdr on $IntIf inet proto tcp from $Windows to  $IntIf  port ssh -> lo0

# Apache or Nginx (internal webserver for the LAN to localhost?)
 rdr on $IntIf inet proto tcp from  !($IntIf) to ($IntIf) port http  -> lo0
 rdr on $IntIf inet proto tcp from  !($IntIf) to ($IntIf) port https -> lo0

# Bind or Unbound DNS for LAN machines
 rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0

# Ntpd time server for the LAN
 rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0

# Anchors
 rdr-anchor "games"

# Ftp ( secure ftp-proxy for the internal LAN )
 nat-anchor "ftp-proxy/*"
 rdr-anchor "ftp-proxy/*"
 rdr pass on $IntIf proto tcp from $IntIf:network to any port 21 -> 127.0.0.1 port 8021

# DENY rouge redirection
 no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Notice we optimized the rules so external
# interface parsing is first followed by the internal interface. 

### $ExtIf block abusive hosts in temp and perm tables
 block drop in  log quick on $ExtIf           from  to any
 block drop in  log quick on $ExtIf proto udp from  to any
 block drop in  log quick on $ExtIf proto tcp from  to any port != ssh

### $ExtIf default block with drop
 block drop in log on $ExtIf

### $ExtIf inbound
 pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to 10.10.10.100 port https $TcpState $WebSTO
 pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to 10.10.10.100 port www   $TcpState $WebSTO
 pass in log on $ExtIf inet proto tcp  from   to 10.10.10.250 port smtp  $TcpState $SmtpSTO
 pass in log on $ExtIf inet proto tcp  from ! to 10.10.10.200 port spamd $TcpState $SmtpSTO
 pass in log on $ExtIf inet proto tcp  from  $WorkSsh      to lo0 port ssh   $TcpState $SshSTO

### $ExtIf outbound
 pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
 pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
 pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO

### $IntIf default block with return (TCP reset)
 block return in log on $IntIf inet

### $IntIf inbound (restrict LAN clients to external machines here)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port https  $TcpState $OpenSTO
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port www    $TcpState $OpenSTO
 pass in log on $IntIf inet proto tcp  from  $Windows       to  lo0     port ssh    $TcpState $OpenSTO
 pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port domain $UdpState $OpenSTO
 pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port ntp    $UdpState $OpenSTO
 pass in log on $IntIf inet proto icmp from  $IntIf:network to $IntIf  $IcmpPing   $UdpState $OpenSTO

### $IntIf ftp secure secure proxy for LAN 
 anchor "ftp-proxy/*" in on $IntIf inet proto tcp

### $IntIf outbound
 pass out log on $IntIf inet proto tcp  from $IntIf to $IntIf:network $TcpState
 pass out log on $IntIf inet proto udp  from $IntIf to $IntIf:network $UdpState
 pass out log on $IntIf inet proto icmp from $IntIf to $IntIf:network $UdpState

### Games ( Xbox 360, Xbox ONE, PS3, PS4 and PC )
 anchor "games"

############# END of FreeBSD pf.conf https://calomel.org #######################

monowall secondary ip address

ref: http://www.castro.aus.net/~maurice/monowall/natrealip.html

The firewall does not appear to be able to NAT on aSecondary IP on a single interface. By installing the third physical interface, I was able to create a working NAT range.

second ip will not have internet. my solution : add new network interface :)

ipv6 with monowall

ref: http://superuser.com/questions/317896/how-to-configure-monowall-to-use-tunnelbroker

Once you've signed up with TunnelBroker.net, their "tunnel details" page will supply you with information about your tunnel:

IPv6 Tunnel Endpoints
- Server IPv4 Address: 209.51.181.2
- Server IPv6 Address: 2001:470:1f3a:1178::1 /64
- Client IPv6 Address: 2001:470:1f3a:1178::2 /64

Routed IPv6 Prefixes
- Routed /64: 2001:470:1f3a:1178:: /64

To configure TunnelBroker in m0n0wall:

1. By default all IPv6 support is disabled. In order for IPv6 configuration settings to appear you must enable IPv6 support. Under System -> Advanced, check Enable IPv6 support, and click Save:
   
2. In order to establish, or maintain a tunnel with Hurricane Electric, they must be able to ping you (over IPv4). This means that you must respond to ICMP packets on the WAN interface. UnderFirewall->IPv4 Rules, select the WAN tab. Click the add new rule button, and create the rule:
   • Action: Pass
   • Interface: WAN
   • Protocol: ICMP
   • ICMP type: any
   • Description: Allow IPv4 ICMP packets
   and click Save.
3. Next configure the WAN interface's IPv6 settings. Click Interfaces->WAN. Under IPv6 configuration:
   • IPv6 mode: Tunnel
   • IPv6 address: 2001:470:1f3a:1178::2/64 (Client IPv6 Address from tunnel details page)
   • IPv6 tunnel endpoint: 209.51.181.2 (Server IPv4 Address from tunnel details page)
   
   and click Save.
4. Next configure the LAN interface's IPv6 settings. Click Interfaces->LAN:
   • IPv6 mode: static
   • IPv6 address: 2001:470:1f3a:1178::/64 (Routed /64 from tunnel details page)
   • IPv6 RA: check Send IPv6 router advertisments
   • MTU: 1280 bytes
   
   and click Save.
5. By default in monowall all outbound IPv4 traffic is permitted. With IPv6 we must manually create the similar rule to allow all outbound traffic. Click Firewall->IPv6 Rules and select the LAN tab, and click add new rule, and create the rule:
   • Action: Pass
   • Interface: LAN
   • Protocol: any
   • Source
     Type: LAN subnet
   • Destination
     Type: any
   • Description: IPv6 LAN -> any
   and click Save.
6. Visit test-ipv6.com, to check that your IPv6 connectivity is working.

Tested with monowall v1.33

monowall traffic shaping

ref: http://wiki.abiquo.com/display/ABI20/How+to+Configure+a+Gateway+with+m0n0wall

8. Traffic Shaping Example

This is a simple example of how to configure traffic shaping in your firewall.

8.1. Before you begin, check the maximum download rate

In order to determine the size of the pipes, you need to know the average download rate of your WAN interface. To do so, you need to run the following command on a machine in that WAN:

$ curl -o /dev/null http://speedtest.wdc01.softlayer.com/downloads/test500.zip

A download of a very large file will start. After some minutes, you can cancel it (by pressing Ctrl+C) and take a look at the download statistics. You'll see something like this:

The value under the Average Download column is what you need. In this network, after a 91-second test, we obtained an Average Download Rate of 211Kb/s. To make sure we're not surpassing it, we will substract 10% from this value and use it as a maximum. We'll assume we have a maximum bandwidth of 190 Kb/s.

Reliability of this value The more time you spend testing, the more reliable the final value will be.

8.2. Setting Up the Pipes

For our example we will set up two pipes: one limited to 150 Kb/s for high-speed connections, and one limited to 40 Kb/s for low-speed connections.

8.3. Setting Up the Queues

In our high-speed connections, we want to have two queues: one for high-priority connections (weight 90) and one for low-priority connections (weight 30).

8.4. Setting Up the Rules

After defining our pipes and queues graph, we need to define the rules to filter the actual traffic:

• SSH connections will be redirected to High-priority queue beneath High-speed pipe.
• HTTP connections will be redirected to Low-priority queue beneath High-speed pipe.
• All other connections will be redirected to Low-speed pipe.

Activate traffic shaping After making all changes, make sure you check the option Enable traffic shaping in the Rules section