Unix tutorial Contact as






Configuration of the FreeBsd firewall. Port redirection and Bandwidth limiting

The firewall configuration are located in the /etc/rc.firewall file. Since we told the firewall software that we are using it as a "simple" firewall, the active configuration are the one in the "simple" section. Usually the default configuration are enough, especially since we just buld a NAT firewall.

Port redirection

Normally, a firewall setup would include a DMZ, a third network interface, where publicly accesible servers should be located. One of these servers could be a mail-relay server, to handle and sort incoming mail before it reaches the central mail system - such as MS Exchange (known for it's non-existing features for relay control). Many corporate installations would include something for scanning, filtering and validating the inbound and outbound mail, like MailSweeper. This server would live on the DMZ.. There are two different approaches into solving this, one is port redirection - the other are address redirection. Let's just for arguments sake assume that the DMZ network have the address-space of 10.0.0.0 with a C-Class network (netmask 255.255.255.0), the DMZ interface is 10.0.0.1 and the MailSweeper machine are 10.0.0.2.

The easiest are port-redirection, change in /etc/rc.conf:

natd_flags=""
Should be changed to:

natd_flags="-redirect_port tcp 10.0.0.2:25 25"
This would redirect port 25 from the natd_interface to port 25 on 10.0.0.2.

Similar, for redirecting all traffic to an outside IP address (also known as "static NAT"):

natd_flags=""

Should be changed to;

natd_flags="-redirect_address 10.0.0.2 80.80.80.80"

Where the 80.80.80.80 address are really the address on the natd_interface or any public address available on the natd_interface (the "outside" interface).

Bandwidth limiting

FreeBSD comes with a bandwidth management in dummynet. dummynet can be extremely useful to slow down a potential fast link DoS another slower link.

Lets assume that a lot of bandwith goes to downloading movies from servers at the 1.1.1.1 network.

Add to your configuration in /etc/rc.firewall:

First construct the pipe:
add pipe 1 ip from any to 1.1.1.0/24
Then configure the pipe:
pipe 1 config bw 256Kbit/s
This limits bandwith for the 1.1.1.0/24 network to 256 Kbit/s.

More realisticly, the bandwith used for mail transactions can be limited, so large mails doesn't chew up the entire internet connetion:
First construct the pipe:
add pipe 1 ip from any to 10.0.0.2

Then configure the pipe:
pipe 1 config bw 256Kbit/s
This limits mail transactions to 256 Kbit/s.

More information regarding other features, such as packet delay, forced random packetloss etc. can be found in the man pages ("man ipfw" or "man dummynet").



Comments/Feedback

If you have specific suggestions for changes, corrections, and additions to this article please use the comment form below.