Chapter 13: Managing Small Network Services

Even a server with a very narrow, specific purpose (like a Web server) needs a variety of smaller, helper services, like basic administration tools. In this chapter, we'll consider some smaller Internet servers, such as the time server, SSH, and inetd, and discuss the tools that FreeBSD makes available for them. We'll also discuss some basic tools that you'll use when managing larger servers, such as bandwidth management and secure certificates.

Note You'll see clearly marked references throughout this chapter to topics that we won't cover. When possible, I refer you to authoritative references for further information. (If you're running a high−volume Internet server—say, handling a million or more email messages an hour—you'll probably want to get your hands on a reference with something more than the few pages you'll find here!)

Bandwidth Control

Today's computing hardware is relatively inexpensive, and software is cheap, but the cost of Internet bandwidth is high. If your company offers "unlimited bandwidth" Web service to clients, you'll soon find yourself with a flooded Internet circuit and no corresponding income. As such, it can be vital to restrict the bandwidth any one site can consume, as well as the amount of bandwidth used by any one service. That's where dummynet comes in. Luigi Rizzo invented dummynet to simulate poor or lossy links so he could test network protocols under such adverse conditions. D u m m y n e t i s q u i t e f l e x i b l e ; y o u ' l l e v e n f i n d a n e x a m p l e o n R i z z o ' s W e b p a g e (http://www.iet.unipi.it/~luigi/ip_dummynet/) simulating an ADSL link to the Moon! (Dummynet is part of IPFW, which we touched on in Chapter 8.)

Although designed to test network protocols, dummynet has since been used to throttle the amount of bandwidth used by any one network service— bandwidth control is simply one side result of this sort of experimentation. And, because dummynet works on specified ports, IP addresses, and protocols, you can use it to restrict the bandwidth usage of IPSec tunnels, sendmail, and such.

You must have IPFW compiled into your kernel to use dummynet. If you followed our example in Chapter 4, you should be all set, but to double−check, run kldstat −v | grep ipfw to list all IPFW modules. If you find that your kernel lacks IPFW support, add the following to your kernel configuration, rebuild, and reboot.

...............................................................................................

options IPFIREWALL options IPFIREWALL_VERBOSE options DUMMYNET

options IPFIREWALL_DEFAULT_TO_ACCEPT

...............................................................................................

Note Since we're using IPFW for bandwidth control instead of packet filtering, we set things to the default accept mode. If you're doing packet filtering with IPFW instead of IPF, leave out the "default to accept" option entirely.

293

Configuring IPFW

The IPFW packet filtering works by comparing each packet against a rule, in order. Rules say either that a packet is accepted, rejected, or dumped into some other function, such as divert(4) or dummynet.

Because we're using IPFilter for packet filtering, all we have to worry about is the subset of IPFW that handles traffic shaping. Dummynet requires two rules within this subset: an IPFW rule to redirect a packet to dummynet and a dummynet rule describing the bandwidth permitted. We'll see examples of both shortly.

We'll use ipfw(8) to configure IPFW, while logged in as root. But first, since (like many other programs) ipfw acts differently depending on its arguments, first check your initial rules with ipfw list.

...............................................................................................

# ipfw list

65535 allow ip from any to any

#

...............................................................................................

As you can see in the preceding example, rules are listed first with a rule number, followed by the name of the rule. IPFW rules are numbered from 1 to 65535. Simple enough, it seems. Since we used the "default to accept" kernel option, the last possible rule (rule number 65535) passes all traffic. If we hadn't used that, the last possible rule would have been to deny all traffic.

To tell IPFW to send packets through dummynet, you must create an IPFW rule to direct that particular type of network traffic to a dummynet rule. The syntax for an IPFW−to−dummynet rule must include the following:

∙An IPFW rule number

∙A statement that this rule will redirect traffic to some other sort of rule (a dummynet rule)

∙A number for this other sort of rule

∙A traffic description

...............................................................................................

number pipe pipenumber ip from sourceaddr sourceport to destaddr destport

...............................................................................................

In the preceding statement, number is the IPFW rule number, and pipenumber is the number of the pipe that handles this bandwidth rule. (A pipe is an add−on IPFW rule that performs special handling, such as dummynet.) The sourceaddr and sourceport entries define the IP address and port number where the traffic is coming from, while destaddr and destport specify where the traffic is going to. The port numbers are optional; if no port is specified, all traffic to or from that IP address is affected. (Both the source and destination can use the special keyword any to match

294

any possible address.)

Here's a simple IPFW−to−dummynet rule:

...............................................................................................

100 pipe 1 ip from 192.168.99.100 80 to any

...............................................................................................

In this example, 100 is the IPFW rule. pipe is the marker that indicates that this rule is going to redirect traffic through another set of rules. The pipe rule number is 1, and the remainder of the rule is the traffic description.

Traffic Descriptions

The description of the traffic you want to pump through dummynet is very important. Describing the traffic incorrectly will result in programs having either too much bandwidth or too little.

The basic format for a traffic description is as follows:

...............................................................................................

protocol from address port to address port

...............................................................................................

On the Internet, the protocol is almost always ip. The from and to are labels, indicating where the traffic is coming from and where it is going to. The address labels are IP addresses, and the ports are port numbers. If you want to specify all IP addresses and ports possible, you can use the any keyword.

For example, let's say our Web server has an IP address of 192.168.99.100. We want to describe all traffic coming from the Web server and going to any address anywhere on the Internet. A description of this traffic would look like this:

...............................................................................................

ip from 192.168.99.100 80 to any

...............................................................................................

Creating IPFW Rules

Say we want to filter the amount of bandwidth for our Web server at IP address 192.168.99.100, running on port 80. We've already written a description of this traffic in the previous section. Now we want to include that, and add the necessary information to redirect this sort of traffic into a dummynet rule.

To create the IPFW rule, we need an IPFW rule number and a pipe rule number. IPFW rules are processed in numerical order, but you can create any numbering scheme you like. Since we aren't using IPFW to filter packets, but just to direct packets to dummynet, the order isn't that important. I usually number rules in even increments of 100 to leave room for modifications between existing rules. Order in pipe rules is not important, so I number them consecutively. In keeping with this, I'll

295

number the IPFW rule 100 and the pipe rule 1.

This would give us an IPFW rule like this:

...............................................................................................

100 pipe 1 ip from 192.168.99.100 80 to any

...............................................................................................

Adding IPFW Rules

Now that you know what you want your IPFW rule to say, you need to add it to IPFW. Use ipfw add for this:

.......................................................................

ipfw add 100 pipe 1 ip from 192.168.99.100 80 to any

...............................................................................................

This rule tells IPFW to take any traffic coming from port 80 on 192.168.99.100, and redirect it through the pipe rule numbered 1.

Creating Pipe Rules

So, IPFW is directing traffic of a certain description to a dummynet (or pipe) rule. It would help if that pipe rule existed, now wouldn't it? Dummynet rules use the following syntax:

...............................................................................................

pipe pipenumber config bw bandwidth

...............................................................................................

The leading pipe in the preceding statement indicates that this is a pipe rule. For pipenumber we use the same number we used in the IPFW rule: 1. For bandwidth we specify this connection's permitted bandwidth. For our example, let's say that we want 128 kilobits per second (Kbps) of traffic.

Install this rule into IPFW with ipfw add:

...............................................................................................

ipfw add pipe 1 config bw 128Kbit/s

...............................................................................................

So, now all traffic from the Web site on that IP address is redirected through this dummynet rule, which limits total traffic to 128Kbps.

296