Policy Routing

Policy Routing

Policy routing is the process of forcing packets to take a certain route, often different from the default route, based on certain packet attributes (source, type of packets, interface, etc.).

The need for policy routing arises for multi-homed hosts (hosts having two network connections to different ISPs), that cannot use a single default route. Having a central Internet connection for multiple private networks can require policy routing. It is most useful in case you have multiple networks connected behind a FreeBSD host with more than one connection to the Internet, when each network needs to use a different outgoing route.

Also, policy routing should be employed when you need to separate traffic by certain criteria, such as source, destination or protocol

When Not to Use Policy Routing
Policy routing can be extremely useful, but it is not always needed. A frequent case of misuse is when configuring a tunnel as a default route. Instead of using the first gateway as the default, then injecting all the other traffic in the tunnel, use more specific routes. For example, if the tunnel ends at 10.10.10.10, the ip of the other end inside the tunnel is 1.2.3.4, and the gateway your provider gave you (and don't actually want to use) is at 2.2.2.2, you can use these routes in /etc/rc.conf:

static_routes=“tunnel_end”
route_tunnel_end=“-host 10.10.10.10 2.2.2.2”
defaultrouter=“1.2.3.4”Since policy routing does involve a certain overhead on the system, do think of a different solution first. Specific routes can be very useful, but policy routing is the only solution for certain cases.

Configuring Policy Routing
The easiest way of doing policy routing with FreeBSD is by using IPFilter. It comes by default with all recent versions of FreeBSD, and it can be easily enabled by adding this line to /etc/rc.conf:

ipfilter_enable=“YES”Be advised that the IP addresses used in this article are fictional, and I have mixed public IP addresses with private ones (see RFC1918). You might find those in private networks, but they will almost never be assigned to you by an ISP.

Example 1 - Multi-homed Host

Suppose you have a host that is connected to two networks, via two interfaces: fxp0, with an IP address of 192.168.100.100, and fxp1, with an IP address of 192.168.200.200, both with the default classful netmask of 255.255.255.0. On both those networks, the gateways are located at 192.168.*.1. I'll assume that the default route is out fxp0.


Now suppose the host receives a ping (an ICMP echo request packet) from host 1.1.1.1, to its IP address 192.168.200.200. The reply will be generated with a source address of 192.168.200.200, and sent to 1.1.1.1. But if the host has no specific route to 1.1.1.1, it will use the default route out fxp0, and try to send the reply via the gateway at 192.168.100.1. If a stateful firewall is in place on the gateway, the packet will most probably be dropped, as the request came via the other gateway (in the 200 network). Also, if egress filtering (filtering of outbound traffic) is configured on the 100 network gateway, the reply will be blocked because it is coming from a different network (and possibly logged as a spoofing attempt). This will also affect other types of packets, like TCP and UDP.

The solution for this problem is rather simple: use policy routing to force packets from the 192.168.200.200 address to leave via the network they belong to. This is line in /etc/ipf.rules will do just as I have described:

pass out quick on fxp0 to fxp1:192.168.200.1 from 192.168.200.200 to any This rule says “force packets from my fxp1 address to exit via the gateway on fxp1 (not my default gateway on fxp0)”.

Example 2 - Asymmetric Traffic

This is similar to Example 1, but with a different purpose. Let's assume that one of the links, fxp0, is an ADSL link with a static IP address. The fxp1 link is a cable modem, with a dynamic IP. You want to have a web server, so you put it on the static IP. But the cable link has better bandwidth, so you want to take advantage of that.

Web traffic in inherently asymmetric, with a small request from the client to the server, and a larger reply from the server to the client. So receiving the request on the ADSL link will not hurt, and it has the added benefit of having a static IP address. So you decide to send the replies via the bigger bandwidth link.

What you need to do is allow requests to the web server on your static IP address to come in via the ADSL link, but policy route the reply, diverting it to the cable link. Here is a configuration that does that:

pass in quick on fxp0 proto tcp from any to 192.168.100.100
pass out quick on fxp0 to fxp1:192.168.200.1 proto tcp from 192.168.100.100 port = 80 to any The gateway on fxp1 (192.168.200.1 in this example) is assigned by DHCP, and you can find it out by running this command:

# grep routers /var/db/dhclient.leasesThis will not work if your ISP on the cable link implements egress filtering. For a web request to complete successfully, the reply must come from the host the request went to. Since you will be sending the reply via another link (possibly belonging to a different ISP than the one who owns the fixed IP address), the cable ISP might choose not to forward your packets, and make this setup inoperable.

Example 3 - Routing for Multiple Networks

Another scenario is a network that has access to two different ISPs, and has assigned addresses from each of those. The interfaces connecting to those ISPs are fxp0 at 10.0.0.2, using the gateway at 10.0.0.1, and fxp1 at 20.0.0.2, using the gateway at 20.0.0.1. The networks assigned by those two ISPs are 192.168.100.0/24, and 192.168.200.0/24. Traffic originating from the 100 network belongs to the 10.0.0.1 ISP, and the other network to the 20.0.0.1 ISP. The interfaces connecting those two nets are de0 and de1.


This needs a simple configuration in /etc/ipf.rules. But we do have to take care and not shoot packets out to the ISP that are intended for the FreeBSD machine (which we'll suppose is at .254 on both those networks).

# accept packets to us, don't forward them
pass in quick on de0 from 192.168.100.0/24 to 192.168.100.254
pass in quick on de1 from 192.168.200.0/24 to 192.168.200.254

# other packets should be handled by their respective ISP
# ISP1
pass in quick on de0 to fxp0:10.0.0.1 from 192.168.100.0/24 to any
# ISP2
pass in quick on de1 to fxp1:20.0.0.1 from 192.168.200.0/24 to anyAdditional Resources
Egress filtering - Keeping the Internet Safe from Your Systems
Anatomy of a Stateful Firewall
- Alex

离开方正

前天，我选择了离开方正。

五一期间

　　五一期间，放假七天，中间有两天上午去值班。其余的时间被我一次性挥霍了，包括去德惠给冯海东修一次电脑，给刘小祎装系统一次。玩游戏到后半夜两次。弄得我体力透支，用两个晚上的狂睡才得以恢复。而五一之前策划将在五一期间完成的事项和计划几乎没一个完成。我还是我。

　　明天就要上班了，高波来电话说要明天去，我也答应他了。只是之后的工作不知道怎样去做。我没有一点想法。什么也没有。

2006-08-19 | 无悔

原来写在我的 Sohu 博客里了。

昨天跟妈妈通了电话，听妈妈的意思，似乎没有办法支援我更多的钱了。

我想，这些都是我的事情，是不应该让妈妈来操心的。我告诉妈妈，可以和亲戚们说一声，因为她们以前都答应过帮助我的，不说反而不好。至于能不能借给我和能借给我多少的事就不用管了。反正，以目前的情况，也是可以结婚的。千万不要底三下四厚着脸皮去如何如何...。

然后，带着我的女朋友去重庆路 -- 我和海伦约好了吃烧烤，海伦要认识一下我的女朋友。

回来的路上，我想象着这会是怎样的一个婚礼呢？婚后在空旷如野的屋子里的每一天又是怎样的一种生活呢？看着我身边非常开心的女朋友，她想象的婚礼是个什么样子的呢?她想象的婚后的生活是什么样子的呢？到时候会不会后悔选择我这样的一个废物呢？我开始有点后悔如此草率的和女朋友这么早谈论结婚的事情。听她闲聊了一会后，我小心翼翼的说：我们还没有登记，离婚礼举办的时间还有一个月，你可以仔细的考虑一下我们的事 …。

我女朋友开始用一种奇怪的眼神看着我，接着，她对我说了她的想法,最后,她哭了 ……

看来，她中毒已深，已经听不进别人的逆耳忠言了。我们的事，也已经如箭离弦无法回头了。我不能带给她美好的现在，希望我能够带给她她想要的未来。

如果你不后悔，我就娶你。

转贴一个无聊的文章

　　今天捡破烂路过一个村子。看到一群人围着什么看。挤进去一瞅，是个男人在弓虽女干女人。

　
　　我大惊，问：“光天化日之下怎么能发生这样的事情！”村里人告诉我，那男的是村长，原先村里人包括那个女的生活很穷，经常饿死人，不仅受村里的地主恶霸欺压，还受外村人欺负，被恶霸和外村人弓虽女干、杀戮，后来是村长领着一帮人把恶霸和外人打倒、赶走，大家选他当村长，村长又让大家都吃上了饭，所以村长的弓虽女干是让被奸者吃饱饭的弓虽女干，比以前的弓虽女干强多了！大家觉得还是村长的弓虽女干比较好。
　　
　 　我说：“那女的怎么不反抗？再说你们都是被奸者，怎么不帮这个妇女？” 村民象看个外星人似的看着我，说：”反抗！怎么不反抗！反抗这个那个新的又这样，我们村村长没人能管，叫谁当村长谁都这样！再说，村里的民兵、治保联防队 都是村长的人，他们有刀有枪的，好死不如赖活着，谁不想活啊！”
　　
　　我说：“那你们连骂都不敢骂，就这么不吭一声？” 村民说道：“骂？谁能骂过村长啊，他有大喇叭，他在广播上把你家的丑事一广播，把他的道理一讲，村里人谁信你啊。”
　　
　　我说：“那你们可以告他啊。” 村民说：“告？我们村规定，近几年的主要是解决吃饱饭和吃好饭的问题，在解决这个主要问题过程中出现的东西，可以搁置不谈，等大家都吃的很好的时候自然就解决了，仓廪实而知礼仪啊，是生存还是不被弓虽女干？当然是先要生存权。再说了，饱暖思淫欲，弓虽女干，这是吃饱饭必然带来的阵痛，是村情决定的，有什么好大惊小怪的。”
　　
　　我问那个被奸的妇女：“你不觉得你的人权和尊严受到凌辱吗？” 妇女在下面喘息说道：“啥叫人权和尊严啊，俺不懂，俺只知道他这样压着俺、弄俺，是不对的，俺挺累挺疼挺难受他还不给钱。”
　　
　　我说：“怎么素质这么低！” 旁边村民冷笑道：“你以为你聪明，村长的治村方略是一整套的，要联系地看问题，不能孤立地看。村长要随意弓虽女干我 们，首先，给我们吃饭，要让我们感激他；第二要给我们理想，说跟着他干以后会更好；第三，有民兵和治保联防队，给他保障；第四，有大喇叭、黑板报给他宣 传，帮他批判不服的社员；还有一条，他让村里小学收费，于是很多人上不起学，于是就不懂人权和尊严，于是就没有你这么多想法，于是村长就可以清清静静地弓虽女干。而那些上完学的孩子，一般是村长他们家族的或者得到村长照顾的，不会对抗村长；有几个倒是出息的穷孩子，但一毕业，村长就让他们到村委会或村办企业，待遇很好，都对村长感恩戴德，加上村长对他们灌输的弓虽女干教育很多，这些知识分子，女的想为村长献身，男的想在村长弓虽女干时帮他按住腿，那里还有你这些胡思乱想。这样，村里比如有一百人，80人是没文化的文盲，有文化的20人，大部分成为村长一个阵营的，你说，再有个把不老实的能翻什么浪？所以在我们村，什么都是为村长的弓虽女干合理服务的。”
　　
　　我说：“那你们就愿意这样被弓虽女干下去？” 村民说：“也不象你说的那样悲观。村长还是在不断的往好里做的。他大儿子偷村里的粮食，被他打断了腿；村长有次喝醉酒，把一个幼女弓虽女干致死，他清醒后打了自己好几耳光，关了自己三天禁闭，没吃饭。你看他现在弓虽女干，动作就很文明，被弓虽女干妇女身下还垫了村长的军大衣，村长还知道戴安全套，还非常与国际接轨，跟录象里外国人干事似的，耶儿耶儿地叫。所以我们有理由相信，明天会更好。”
　　
　 　我说：“那你们就眼看着被奸者遭受痛苦的蹂躏？” 村民沉痛地说：“是啊，我们一直在致力解决这个问题。有些激进的人认为被奸妇女要使劲推翻村长，但这样容易使矛盾激化，影响村里团结安定的来之不易的局 面。更多人以为，挣扎解决不了她现在的痛苦，反而有可能增加，而且还会影响全村的建设。既然现实就是这样，我们无法迅速改变，就只有顺其自然，达成共识， 让这个被弓虽女干的妇女要承认自己是弱势群体，承认这是一种必然现象，短暂阵痛，不要挣扎，可以换一个舒服点的姿势，主动迎合弓虽女干，把村长当成一个给我们每个人带来幸福的好男人，配合他的动作。这样，就不会痛苦，还可以体验到欢乐！”
　　
　　这时，村长听我们议论得越来越没边，对旁边的村小学校长说：“这帮人吃饱了没事干，让他们的逼嘴一闲着就胡说，你跟他们讲，有专家证明说岳飞是女的，他妈是男的。”

FreeBSD 下如何查看带宽使用率

很简单，用如下命令：

# systat -if 1