#!/usr/local/bin/bash # # ipfw pipe rules for IRCd machine # # Zoidial, Inc. # Eric Thern eric@zoidial.com # # some of the initial ruleset based on rules from Nick Ciesiolka # # Updated with new rules, rule numbers, rule layout and bandwidth # configs for use with Zoidial, Inc. machines. # # WHATSIT DO? # ----------- # this is a ruleset to set bandwidth limits on all IP addresses on # a given machine. The pipe bandwidth limits are set for different # port numbers and such, so that you will limit IRCd and other specified # traffic. # # This is needed on an IRCd machine in order to make sure that certain # IRCd's do not take up too much of the bandwidth, but at the same time # it allows each IRCd to use it's own bandwidth limit(s), so the customers # are much happier. # # best to keep this sysctl set to 1: # net.inet.ip.fw.one_pass=1 # # explanation: # Forces a single pass through the firewall. If set to 0, # packets coming out of a pipe will be reinjected into the # firewall starting with the rule after the matching one. # NOTE: there is always one pass for bridged packets. # # May want to take a look at my sysctl.conf on www.thern.org/projects/ for more info # # # April, 2003 - initial version # between these two dates - lots of revisions, updates # July 16, 2003 - Updated most of the rulesets # # --------------------- # NOTICE!!!!!!!!!!!!!!! # --------------------- # # 1) make sure you look this over before you run it! good lord, this could ruin everything! # 2) half way down, there are "specific IP" rules - YOU MUST EDIT THESE (or, take them out) # 3) ALSO - edit the specific 'intranet' rules for your own IP address range(s) # 4) EDIT the path to the ddos-rate-limits script (don't leave it at ./ unless you really just # run this from the same directory you are in all the time) # ### # # FLUSH PIPES HERE (BE CAREFUL!) # ipfw -q pipe flush ### # # delete stale rules (if you update anything below, ADD THE RULE NUMBER HERE!) # /sbin/ipfw -q delete 270 /sbin/ipfw -q delete 280 281 282 283 284 285 286 287 288 289 /sbin/ipfw -q delete 300 301 302 303 304 305 306 307 308 /sbin/ipfw -q delete 500 501 502 503 /sbin/ipfw -q delete 510 511 512 513 514 515 516 517 518 519 520 521 /sbin/ipfw -q delete 900 901 902 903 904 905 906 907 908 909 /sbin/ipfw -q delete 950 951 952 953 954 955 956 957 958 ### # # Run the ddos-rate-limits script here # ./ddos-rate-limits ### # # don't rate limit subnet traffic too low # however, keep this after the ddos-rate-limits, just in case people try anything dumb # # Pipe rules for intranet # ipfw -q pipe 270 config bw 50Mbits/s queue 500Kbytes # # rules for the above pipe(s) # ipfw -q add 00270 pipe 270 tcp from 216.218.235.0/24 to 216.218.235.0/24 ipfw -q add 00270 pipe 270 tcp from 216.218.235.0/24 to 64.71.191.192/27 ipfw -q add 00270 pipe 270 tcp from 64.71.191.192/27 to 64.71.191.192/27 ipfw -q add 00270 pipe 270 tcp from 64.71.191.192/27 to 216.218.235.0/24 ### # # Pipe rules for TCP SYN Traffic [ incoming ] # ipfw -q pipe 280 config bw 60Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 281 config bw 60Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 282 config bw 60Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 283 config bw 60Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 284 config bw 60Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 285 config bw 60Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 286 config bw 120Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 287 config bw 120Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 288 config bw 300Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 289 config bw 300Kbits/s queue 45Kbytes delay 0 mask dst-ip 0xffffffff # # Corresponding ipfw rules for pipes # ipfw -q add 280 pipe 280 tcp from any to me 6667,5555,9020 tcpflags syn in ipfw -q add 281 pipe 281 tcp from any 6667,5555,9020 to me tcpflags syn in ipfw -q add 282 pipe 282 tcp from any to me 7000,7001,7002,8000,8888,8080 tcpflags syn in ipfw -q add 283 pipe 283 tcp from any 7000,7001,7002,8000,8888,8080 to me tcpflags syn in ipfw -q add 284 pipe 284 tcp from any to me 6660-6666,6668,6669 tcpflags syn in ipfw -q add 285 pipe 285 tcp from any 6660-6666,6668,6669 to me tcpflags syn in ipfw -q add 286 pipe 286 tcp from any to me 80 tcpflags syn in ipfw -q add 287 pipe 287 tcp from any 80 to me tcpflags syn in ipfw -q add 288 pipe 288 tcp from any to me 22 tcpflags syn in ipfw -q add 289 pipe 289 tcp from any to me tcpflags syn in ### # # Pipe rules for TCP SYN Traffic [ outgoing ] # ipfw -q pipe 300 config bw 64Kbits/s queue 10Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 301 config bw 64Kbits/s queue 10Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 302 config bw 32Kbits/s queue 10Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 303 config bw 32Kbits/s queue 10Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 304 config bw 32Kbits/s queue 10Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 305 config bw 32Kbits/s queue 10Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 306 config bw 120Kbits/s queue 20Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 307 config bw 120Kbits/s queue 20Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 308 config bw 240Kbits/s queue 30Kbytes delay 0 mask src-ip 0xffffffff # # Corresponding ipfw rules for pipes # ipfw -q add 300 pipe 300 tcp from me 6667,5555,9020 to any tcpflags syn out ipfw -q add 301 pipe 301 tcp from me to any 6667,5555,9020 tcpflags syn out ipfw -q add 302 pipe 302 tcp from me 7000,7001,7002,8000,8888,8080 to any tcpflags syn out ipfw -q add 303 pipe 303 tcp from me to any 7000,7001,7002,8000,8888,8080 tcpflags syn out ipfw -q add 304 pipe 304 tcp from me 6660-6666,6668,6669 to any tcpflags syn out ipfw -q add 305 pipe 305 tcp from me to any 6660-6666,6668,6669 tcpflags syn out ipfw -q add 306 pipe 306 tcp from me 80 to any tcpflags syn out ipfw -q add 307 pipe 307 tcp from me to any 80 tcpflags syn out ipfw -q add 308 pipe 308 tcp from me to any tcpflags syn out ### # # specific rules for "special" IP addresses that need more bandwidth (or less bandwidth) # add them all here before the '900'+ TCK/ACK rules # # # Pipe rules # ipfw -q pipe 500 config bw 350Kbit/s queue 10Kbytes ipfw -q pipe 501 config bw 128Kbit/s queue 10Kbytes ipfw -q pipe 502 config bw 28Kbit/s queue 10Kbytes ipfw -q pipe 503 config bw 256Kbit/s queue 10Kbytes # webserver ipfw -q pipe 510 config bw 2048Kbit/s queue 10Kbytes ipfw -q pipe 511 config bw 320Kbit/s queue 10Kbytes ipfw -q pipe 512 config bw 1024Kbit/s queue 10Kbytes ipfw -q pipe 513 config bw 128Kbit/s queue 10Kbytes ipfw -q pipe 514 config bw 1024Kbit/s queue 10Kbytes ipfw -q pipe 515 config bw 1024Kbit/s queue 10Kbytes ipfw -q pipe 516 config bw 128Kbit/s queue 10Kbytes ipfw -q pipe 517 config bw 2048Kbit/s queue 10Kbytes ipfw -q pipe 518 config bw 1024Kbit/s queue 10Kbytes ipfw -q pipe 519 config bw 760Kbit/s queue 10Kbytes ipfw -q pipe 520 config bw 512Kbit/s queue 10Kbytes ipfw -q pipe 521 config bw 512Kbit/s queue 10Kbytes # # corresponding rules for the pipes # ipfw -q add 00500 pipe 500 tcp from 216.218.235.27 80 to any out ipfw -q add 00501 pipe 501 tcp from 216.218.235.28 80 to any out ipfw -q add 00502 pipe 502 tcp from 216.218.235.29 80 to any out ipfw -q add 00503 pipe 503 tcp from 216.218.235.192 80 to any out # webserver ipfw -q add 00510 pipe 510 tcp from 216.218.235.35 80 to any tcpflags ack out ipfw -q add 00510 pipe 510 tcp from any to 216.218.235.35 80 tcpflags ack in ipfw -q add 00511 pipe 511 tcp from 216.218.235.35 8443 to any tcpflags ack out ipfw -q add 00511 pipe 511 tcp from any to 216.218.235.35 8443 tcpflags ack in ipfw -q add 00512 pipe 512 tcp from 216.218.235.35 443 to any tcpflags ack out ipfw -q add 00512 pipe 512 tcp from any to 216.218.235.35 443 tcpflags ack in ipfw -q add 00513 pipe 513 tcp from 216.218.235.35 3306 to any tcpflags ack out ipfw -q add 00513 pipe 513 tcp from any to 216.218.235.35 3306 tcpflags ack in ipfw -q add 00514 pipe 514 tcp from 216.218.235.35 21 to any tcpflags ack out ipfw -q add 00514 pipe 514 tcp from any to 216.218.235.35 21 tcpflags ack in ipfw -q add 00515 pipe 515 tcp from 216.218.235.35 22 to any tcpflags ack out ipfw -q add 00515 pipe 515 tcp from any to 216.218.235.35 22 tcpflags ack in ipfw -q add 00516 pipe 516 tcp from 216.218.235.35 23 to any tcpflags ack out ipfw -q add 00516 pipe 516 tcp from any to 216.218.235.35 23 tcpflags ack in ipfw -q add 00517 pipe 517 tcp from 216.218.235.35 25 to any tcpflags ack out ipfw -q add 00517 pipe 517 tcp from any to 216.218.235.35 25 tcpflags ack in ipfw -q add 00518 pipe 518 tcp from 216.218.235.35 110 to any tcpflags ack out ipfw -q add 00518 pipe 518 tcp from any to 216.218.235.35 110 tcpflags ack in ipfw -q add 00519 pipe 519 tcp from 216.218.235.35 465 to any tcpflags ack out ipfw -q add 00519 pipe 519 tcp from any to 216.218.235.35 465 tcpflags ack in ipfw -q add 00520 pipe 520 tcp from 216.218.235.35 993 to any tcpflags ack out ipfw -q add 00520 pipe 520 tcp from any to 216.218.235.35 993 tcpflags ack in ipfw -q add 00521 pipe 521 tcp from 216.218.235.35 995 to any tcpflags ack out ipfw -q add 00521 pipe 521 tcp from any to 216.218.235.35 995 tcpflags ack in ### # # Pipe rules for TCP ACK Traffic [ outgoing ] # ipfw -q pipe 900 config bw 100Kbits/s queue 20Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 901 config bw 100Kbits/s queue 20Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 902 config bw 60Kbits/s queue 20Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 903 config bw 60Kbits/s queue 20Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 904 config bw 60Kbits/s queue 20Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 905 config bw 60Kbits/s queue 20Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 906 config bw 256Kbits/s queue 60Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 907 config bw 256Kbits/s queue 60Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 908 config bw 512Kbits/s queue 60Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 909 config bw 256Kbits/s queue 40Kbytes delay 0 mask src-ip 0xffffffff # # Corresponding ipfw rules for the pipes # ipfw -q add 900 pipe 900 tcp from me 6667,5555,9020 to any tcpflags ack out ipfw -q add 901 pipe 901 tcp from me to any 6667,5555,9020 tcpflags ack out ipfw -q add 902 pipe 902 tcp from me 7000,7001,7002,8000,8888,8080 to any tcpflags ack out ipfw -q add 903 pipe 903 tcp from me to any 7000,7001,7002,8000,8888,8080 tcpflags ack out ipfw -q add 904 pipe 904 tcp from me 6660-6666,6668,6669 to any tcpflags ack out ipfw -q add 905 pipe 905 tcp from me to any 6660-6666,6668,6669 tcpflags ack out ipfw -q add 906 pipe 906 tcp from me 80 to any tcpflags ack out ipfw -q add 907 pipe 907 tcp from me to any 80 tcpflags ack out ipfw -q add 908 pipe 908 tcp from me 22 to any tcpflags ack out ipfw -q add 909 pipe 909 tcp from me to any tcpflags ack out ### # # Pipe rules for TCP RST Traffic [ outgoing ] # ipfw -q pipe 950 config bw 60Kbits/s queue 15Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 951 config bw 60Kbits/s queue 15Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 952 config bw 60Kbits/s queue 15Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 953 config bw 60Kbits/s queue 15Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 954 config bw 60Kbits/s queue 15Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 955 config bw 60Kbits/s queue 15Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 956 config bw 60Kbits/s queue 45Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 957 config bw 60Kbits/s queue 45Kbytes delay 0 mask src-ip 0xffffffff ipfw -q pipe 958 config bw 60Kbits/s queue 25Kbytes delay 0 mask src-ip 0xffffffff # # Corresponding ipfw rules for the pipes # ipfw -q add 950 pipe 950 tcp from me 6667,5555,9020 to any tcpflags rst out ipfw -q add 951 pipe 951 tcp from me to any 6667,5555,9020 tcpflags rst out ipfw -q add 952 pipe 952 tcp from me 7000,7001,7002,8000,8888,8080 to any tcpflags rst out ipfw -q add 953 pipe 953 tcp from me to any 7000,7001,7002,8000,8888,8080 tcpflags rst out ipfw -q add 954 pipe 954 tcp from me 6660-6666,6668,6669 to any tcpflags rst out ipfw -q add 955 pipe 955 tcp from me to any 6660-6666,6668,6669 tcpflags rst out ipfw -q add 956 pipe 956 tcp from me 80 to any tcpflags rst out ipfw -q add 957 pipe 957 tcp from me to any 80 tcpflags rst out ipfw -q add 958 pipe 958 tcp from me to any tcpflags rst out