PicoBSD @VER@ (DIALUP flavor)
—————————

What is PicoBSD?
—————-

It’s a one floppy version of FreeBSD (please see http://www.freebsd.org),
configured mainly for dialup access. It can be used as a means to read your
mail remotely, or to log in somewhere and do the work there.

What are minimal requirements?
——————————

* 386SX CPU or better (this release contains also FPU emulator)
* 8MB RAM – the more the better.
* Modem sitting on COM1-COM4 (default is to use COM2), if you want to have
a PPP connection.
* Network card: compatible with NE2000, or PCI cards with DEC chipsets
or 3C509 series (ed, ep and de drivers). There is also driver for Intel
EtherExpress PCI card (fxp), and Lance/PCnet (lnc).

How to make a dialup connection?
——————————–

I recommend running /stand/dialup script, which will additionally configure
the PPP to allow you to automatically connect to your provider, and
will make the ppp to run in background. However, if you like to do it
yourself, or the script doesn’t work properly in your case (let me know
this!), here are the steps you should take:

1. Go to /etc/ppp directory and edit file ppp.conf (using ee editor). You
should check at least the port number of your modem (it’s configured
on cuaa1==COM2 by default).
2. After you’re happy with it, start ‘ppp’ program. Enter the terminal
mode (‘term’) – you are now directly connected to your modem, so you
can normally dial the number using AT commands (e.g. atdt555666777),
and log in to communictaion server. You should see something like
this:

(comm server prompt) login: abial
(comm server prompt) Password: ********

Then either the comm server automatically switches to PPP, or you
should issue a command to tell it to do so (e.g. ‘go ppp’, ‘PPP’ or
other). When PPP is started, you should see something like:

ppp on pico> Packet mode
PPP on pico>

Notice the uppercase PPP – it means that the protocol is up, and now
you’re connected. Congratulations.
3. Your console is blocked now, but you can use other virtual consoles
available under Alt-Fn.

How to configure my Ethernet card?
———————————-

Hopefully your ethernet card is supported by PicoBSD kernel, and in case of
ISA cards you have already set up correctly its parameters in UserConfig
editor. You can check if PicoBSD found your card by looking into startup
messages (‘dmesg | more’).

The easiest way to do it is to edit /etc/rc.conf file (‘ee /etc/rc.conf’).
Find the line which says ‘network_interfaces’ and add the name of your
card to the list. Then add yet another line ‘ifconfig_‘ which
actually sets up your IP address and netmask. E.g:

network_interfaces=”lo0 ed0″
ifconfig_lo0=”inet 127.0.0.1″
ifconfig_ed0=”inet 192.168.0.1 netmask 255.255.255.0″

Then you have to set up your default gateway, which is usually the router
nearest to you (on the same LAN). E.g:

defaultrouter=”192.168.0.100″

Then you save this information on the floppy with ‘update’ command, and
reboot.

Of course, you can also issue the proper commands by hand:

ifconfig ed0 inet 192.168.0.1 netmask 255.255.255.0
route add default 192.168.0.100

Once you do this, you should be able to ‘ping’ some remote IP address.

Where to get additional info?
—————————–

There is official page of this project at:

http://www.freebsd.org/~picobsd/

You can find some informations there – not too much yet, to be sure…
I’ll put there also new versions of PicoBSD and bugfixes.

I’ll be glad hearing from you about your experiences with PicoBSD. Thanks.

Have fun!

Andrzej Bialecki

$FreeBSD: src/release/picobsd/dial/lang/README.en,v 1.7 1999/08/28 01:33:19 peter Exp $

4.0中如下

kldload vn
vnconfig -c /dev/vn0 /xxx/xxx.iso
mount_cd9660 /dev/vn0 /xxx/xxx
umount /dev/vn0
vnconfig -u /dev/vn0

在5.0中如下
mdconfig -a -t vnode -f abc.iso -u 1
mount_cd9660 /dev/md1 /cdrom

dummynet

1. Description

dummynet is a flexible tool originally designed for testing networking protocols, and since then (mis)used for bandwidth management.

It simulates/enforces queue and bandwidth limitations, delays, packet losses, and multipath effects. It also implements a variant of Weighted Fair Queueing called WF2Q+. It can be used on user’s workstations, or on FreeBSD machines acting as routers or bridges.

Just to get the idea of what you can do with dummynet, e.g. by using dummynet on your workstation, or putting a PC with two ethernet cards between your network and your router and booting from the floppy-image below, here are a few examples :

These rules limit the total ICMP traffic (inbound+outbound) to 50Kbit/s

    ipfw add pipe 1 icmp from any to any
    ipfw pipe 1 config bw 50Kbit/s queue 10

These rules limit inbound traffic to 300Kbit/s for each host on your network 10.1.2.0/24.

    ipfw add pipe 2 ip from any to 10.1.2.0/24
    ipfw pipe 2 config bw 300Kbit/s queue 20 mask dst-ip 0x000000ff

If you want all machines to share evenly a single link, you should use instead:

    ipfw add queue 1 ip from any to 10.1.2.0/24
    ipfw queue 1 config weight 5 pipe 2 mask dst-ip 0x000000ff
    ipfw pipe 2 config bw 300Kbit/s

And these rules simulate an ADSL link to the moon:

    ipfw add pipe 3 ip from any to any out
    ipfw add pipe 4 ip from any to any in
    ipfw pipe 3 config bw 128Kbit/s queue 10 delay 1000ms
    ipfw pipe 4 config bw 640Kbit/s queue 30 delay 1000ms

dummynet works by intercepting packets (selected by ipfw rules – ipfw is one of the FreeBSD firewalls) in their way through the protocol stack, and passing them through one or more objects called queues and pipes, which simulate the effects of bandwidth limitations, propagation delays, bounded-size queues, packet losses, multipath. Pipes are fixed-bandwidth channels. Queues represent instead queues of packets, associated with a weight, which share the bandwidth of the pipe they are connected to proportionally to their weight.

Each pipe and queue can be configured separately, so you can apply different limitations/delays to different traffic according to the ipfw rules (e.g. selecting on protocols, addresses and ports ranges, interfaces, etc.). Pipes and queues can be created dynamically, so using a single set of rules you can apply independent limitations to all hosts in a subnet, or to all types of traffic, etc. You can also configure the system to build cascades of pipes, so you can simulate networks with multiple links and paths between source(s) and destination(s).

2. Performance, status and availability

Unlike other traffic shaping packages which run in userland, dummynet has a very little overhead, as all processing is done within the kernel. There is no data copying involved to move packets through pipes, just a bit of pointer shuffling, and the implementation is able to handle thousands of pipes with O(log N) cost, where N is the number of active pipes.

The WFQ variant we implement, called WF2Q+, has a complexity which is O(log N) in the number of active flows, so again it is able to handle efficiently thousands of flows. dummynet is part of FreeBSD since Sept.1998. It has been recently (Jan.2000 and June 2000) rewritten, so the most recent, feature-rich and robust versions are in FreeBSD 3.4-STABLE and newer releases.

You don’t need to install FreeBSD on your hard disk to use it, as below you will find a bootable single-floppy version of FreeBSD which includes dummynet, bridging, and a lot of other goodies.

Dummynet is being heavily used by lots of people, and the code seems to be extremely stable and robust, especially in the 3.4-STABLE version and above. Bug fixes are generally applied to the FreeBSD source tree and are available from the CVS tree or in newer snapshot/releases of FreeBSD. From time to time i update the floppy image on this site as well.

3. Support

If you have found some bug, please report it to me by email, but don’t forget to include information on which version of FreeBSD and dummynet you are using, your rules (ipfw show; ipfw pipe show), your configuration (bridge or router) etc.
If you have a simple question, again just email me and i generally try to reply as soon as possible. Again, please supply details!
For more complex things (like “i have no time to learn how to use it, i just want this work done”), or customizations and additions of new features to dummynet/ipfw, I am available (through my department) for doing support on a contract basis.
Email luigi@iet.unipi.it for discussing details.

This said, FreeBSD users should be able to use dummynet without the need for support.
The relevant manpages (ipfw(8), dummynet(4), bridge(4)) are a great source of information, so please read updated version of them before asking questions.
You can also try posting on the various FreeBSD mailing lists or newsgroups, they are usually a very good source of information.

4. Using dummynet

Dummynet is entirely controlled by the ipfw commands and a set of sysctl variables.

4.1 Basic ipfw commands

The basic structure of ipfw commands is

   ipfw add [N] [prob X] action PROTO from SRC to DST [options]

where N is the rule number ;
X is a number between 0 and 1 that, when present, indicates the probability of getting a match on this rule if all other fields are correct. The default is deterministic match;
action is one of the actions executed on a match, which can be any of allow, deny, skipto N, pipe N and others. To send a packet to a dummynet pipe, we have to use pipe N; PROTO is the protocol type we want to match (IP, TCP, UDP, …);
SRC and DST are address specifier (we can use addresses with netmasks and optionally followed by ports or port ranges);
options can be used to restrict the attention to packets coming from/to specific interfaces, or carrying some TCP flags or ICMP options, or bridged, etc.

4.2 Sysctl variables

The following are the main sysctl variables to control the behaviour of ipfw, bridging and dummynet:

Controlling ipfw

The firewall is mostly controlled by ipfw, and the sysctl variables only serve to give global configuration and default parameters.

net.inet.ip.fw.enable: 1
	enables firewall in the IP stack
net.inet.ip.fw.one_pass: 1
	Forces a single pass through the firewall. If set to 0,
	packets coming out of a pipe will be reinjected into the
	firewall starting with the rule after the matching one.
	NOTE: there is always one pass for bridged packets.
net.inet.ip.fw.dyn_buckets: 256 (readonly)
	Current hash table size used for dynamic rules.
net.inet.ip.fw.curr_dyn_buckets: 256
	Desired hash table size used for dynamic rules.
net.inet.ip.fw.dyn_count: 3
	Current number of dynamic rules. (readonly)

net.inet.ip.fw.dyn_max: 1000
	Max number of dynamic rules. If you exceed this limit, you will
	have to wait for a rule to expire before being able to create
	a new one.
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 20
net.inet.ip.fw.dyn_rst_lifetime: 5
net.inet.ip.fw.dyn_short_lifetime: 5
	Lifetime (in seconds) for various types of dynamic rules.

Controlling dummynet

Also dummynet is mostly controlled by ipfw, with the sysctl variables serving mostly for default parameters.

net.inet.ip.dummynet.hash_size: 64
	Size of hash table for dynamic pipes.
net.inet.ip.dummynet.expire: 1
	Delete dynamic pipes when they become empty.
net.inet.ip.dummynet.max_chain_len: 16
	Max ratio between number of dynamic queues and hash buckets.
	When you exceed (max_chain_len*buckets) queues on a pipe,
	packets not matching any of these will be all put into the
	same default queue.

Controlling bridging

Bridging is almost exclusively controlled by sysctl variables.

net.link.ether.bridge_cfg: ed2:1,rl0:1,
	set of interfaces for which bridging is enabled, and cluster
	they belong to.
net.link.ether.bridge: 0
	enable bridging.
net.link.ether.bridge_ipfw: 0
	enable ipfw for bridging.

4.3 Pipe and queue configuration

The following ipfw commands control dummynet pipes

• ipfw pipe NN config ...
  This command is used to create or reconfigure a pipe. NN is the numeric identifier (between 1 and 65535) of the pipe. Issuing multiple time the configuration command results in the pipe being reconfigured. 
• ipfw [-s field] pipe [NN] show
  This command shows the parameters of a pipe. If the pipe is a dynamic one (see mask parameter), then all dynamic pipes created from this one are listed. The list can be very very long. The -s option allows you to sort the listing on one of the four counters associated to the pipe.
• ipfw pipe NN delete Destroys a single pipe. Remember that packets sent to a non-existing pipe are silently dropped.
• ipfw pipe flush Destroys all pipes.

The following parameters can be configured for a pipe, adding the command in the pipe config... line:

• Bandwidth: bw NNunit
  NN is the bandwidth assigned to the pipe, unit (which must follow the number with no intervening spaces) can be any of bit/s Kbit/s Mbit/s Byte/s KByte/s MByte/s or non-ambiguous abbreviations.
  A bandwidth of 0 (or no bandwidth) results in no bandwidth limitations (hence, no queues will ever build up).
• Queue size: queue NN [unit]
  Sets the queue size, in slots if only NN is specified, otherwise in Bytes or KBytes. When there is no room in the queue, packets are dropped. The default queue size is 50 slots.
  The combination of bandwidth and queue size influence the queueing delay. Be careful when using low bandwidths not to use too large queues, or you might end up with several seconds of queueing delay.
  Also be careful when you specify the queue size in packets: if you run tests over the loopback interface, a packet can be very large, e.g. 16KB, again resulting in huge delays.
• Delay: delay NN ms
  Sets the propagation delay of the pipe, in milliseconds. Note that the queueing delay component is independent of the propagation delay. Also note that all delays are approximated with a granularity of 1/HZ seconds (HZ is typically 100, but we suggest using HZ=1000 and maybe even larger values).
• Random Packet Loss: plr X
  X is a floating point number between 0 and 1 which causes packets to be dropped at random. This is done generally to simulate lossy links. The default is 0, or no loss.
• Dynamic queue creation: mask ...
  It is possible to associate a mask to a pipe so that bandwidth and queue limitations are enforced separately for packets belonging to different flows.The mask command lets you specify which parts of the following fields contribute to identify a flow:

  [proto N] [src-ip N] [dst-ip N] [src-port N] [dst-port N]

  where N is a bitmask where significant bits are set to 1. You can specify one or more masks, or the all keyword to mean that all fields are fully significant.
  The default (when no mask are specified) is to ignore all fields, so that all packets are considered to belong to the same flow.Whenever a new flow is encountered, a new queue (with the specified bandwidth and queue size) is created.

  WARNING!!! the number of dynamic queues that can be created in this way can become very large. They are accessed through a hash table, whose size you can define using the buckets NN specifier after the mask command.

To use WF2Q+, packets must be passed to queues which in turn must be connected to a pipe.

The following ipfw commands control dummynet pipes

• ipfw queue NN config ...
  This command is used to create or reconfigure a queue. NN is the numeric identifier (between 1 and 65535) of the queue. Issuing multiple time the configuration command results in the queue being reconfigured. 
• ipfw queue NN delete Destroys a single queue. Remember that packets sent to a non-existing queue are silently dropped.
• ipfw queue flush Destroys all queues.

The following parameters can be configured for a queue, adding the command in the queue config... line:

• Pipe: pipe NN
  NN is the identifier of the pipe used for regulating traffic.
• Weight: weight NN
  NN is the weight (1..100, default 1) associated to the queue.
• Per-Flow queueing: mask ...
  The syntax is the same as for pipes. However, all queues created dynamically will share the parent pipe’s bandwidth according to the weight.
• Queue size, Random Packet Loss:
  Same as for pipes.

5. Using dummynet for testing protocols

Dummynet was originally created to test network protocols and applications, possibly even on a standalone system. As a consequence, some of its features such as delay emulation, random loss etc. are explicitly designed for that purpose.

There are a few things you should take in mind when doing such tests, to avoid getting incorrect results. They are all obvious things, still it is better to have them in mind.

• Choosing a reasonable buffer size.
  As said earlier, packet can be subject to a delay which is proportional to the total queue size (in bytes), and inversely proportional to the bandwidth. At low bandwidths, this queueing delays can be extremely high, especially if the queue size is defined in terms of packets and packets are large. The default queue size is almost certainly too large for most purposes, and it is often preferable to define the queue size in terms of bytes rather than packets.
• Half-duplex vs. Full-duplex channels.
  With the exception of shared-medium networks such as the ethernet, most links that you want to simulate for your experiments are full duplex. As such, the proper configuration is the following:

      ipfw add pipe 1 ip from A to B
      ipfw add pipe 2 ip from B to A
      ipfw pipe 1 config ...
      ipfw pipe 2 config ...

  Should you really need to mode a half duplex network, then you can use the following sequence. But think twice before you do so, as it is often a non-realistic mode.

      ipfw add pipe 3 ip from A to B
      ipfw add pipe 3 ip from B to A
      ipfw pipe 3 config ...

   

• Interactions between bridging and multicast
  You can use ipfw (and dummynet) in a bridge by setting some sysctl variables:

  	sysctl -w net.link.ether.bridge=1
  	sysctl -w net.link.ether.bridge_ipfw=1

  and then specify your firewall configuration.
  Be careful when you run experiment involving multicast traffic through a dummynet-enabled bridge. Unless you set the rules right, multicast traffic in a bridge goes through the firewall code twice: once during forwarding at level 2, once when the packet is passed to the local IP stack of the bridge.Starting from Feb.2000, there are to avoid this problem. One involves a sysctl variable:

  	sysctl -w net.inet.ip.fw.enable=0

  which avoids that the firewall is invoked at the ip level. Otherwise, you can use the bridged specifier in your ruleset to match only bridged packets:

      ipfw add pipe 1 ip from any to any bridged

   

• Running over the loopback interface.
  Dummynet was originally designed for running experiments on a standalone machine. The loopback interface lets you run senders and receivers on the same machine, but you should remember a few things: 
  • The firewall is invoked on all packets.
    This means that if you have a configuration such as

        ipfw add pipe 4 ip from 127.0.0.1 to 127.0.0.1
        ipfw pipe 4 config delay 100ms

    and do a simple ping 127.0.0.1 you will see a delay of approximately 400ms. In fact the ICMP request goes through the pipe twice (once down, once up), and the same for the ICMP reply. For the same reason, if you also have bandwidth or queue limitations, remember that the queue sees the traffic multiple times.
    You can partially overcome this problem by using additional ipfw options, e.g. specifying a direction for matching packets, or the uid of the sender or receiving process. Alternatively, you can assign multiple aliases to the loopback interface, and make sure that the sender and receiver bind their local endpoint to different addresses so that you will have distinct rules matching traffic in the two directions. 

  • The MTU of the loopback interface defaults to 16KB
    The usual default for ethernet is 1500, and for point-to-point links often smaller (576 or so). You can simply fix this by redefining the mtu to the desired value with

        ifconfig lo0 mtu 1500

     

• TCP defaults.
  Be very careful when using TCP, especially between processes running on the same machine, or on the same subnet.
  Apart from the MTU issue mentioned earlier, at least on FreeBSD, TCP starts with a full window when the remote endpoint is on the same subnet as one of the local addresses. You need a simple fix in the source (tcp_input.c i believe) to fix this behaviour in FreeBSD 3.x, whereas FreeBSD 4.x has sysctl variable(s) to set the initial window.
  Secondly, when you do experiments on configuration with a large delay-bandwidth product, remember that many applications use the default window size which is small, something like 16KB. You might end up not using the full bandwidth just because your data transfer is window-limited. 

5.1 Simulating multipath

One nice feature of the new version of dummynet is the ability to simulate multiple paths between sender and receiver. This is done using probabilistic match, e.g.:

    ipfw add prob 0.33 pipe 1 ip from A to B
    ipfw add prob 0.5  pipe 2 ip from A to B
    ipfw add           pipe 3 ip from A to B
    ipfw pipe 1 config ...
    ipfw pipe 2 config ...
    ipfw pipe 3 config ...

Given the right packet, the first rule will match with probability 1/3; in the remaining 2/3 of occurrence we move to the second rule, which will match with prob 1/2 (so overall 1/2*1/3 = 1/3), and the remaining 1/3 of occurrence will move to the third rule, which has a deterministic match. We can then configure the three pipes as desired to emulate phenomena such as packet reordering etc.

6 Related links

Here i collect some info on how to do various ipfw-related things. Most of this is just URLs collected from the mailing list so the reliability of the info might be different (for good or bad) from what is in this page.

• PPP Over Ethernet
  Detailed instructions on how to set up a PPPoE connection. ALTQ
  Alternate queueing scheme.

1.编释内核启用IPFIREWALL和IPFIVERT
编释内核启用DUMMYNET
2.cd /usr/src
make buildkernel KERNCONF=ConfigName
make installkernel KERNCONF=ConfigName

3.添加相应规则（此处添加的只为简单规则，末做安全设置）
ipfw -q add 00001 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
ipfw -q add 00002 deny ip from 127.0.0.0/8 to any
ipfw -q add 00003 deny ip from any to 127.0.0.0/8
ipfw -q add 00004 deny ip from 1.1.1.0/24 to any in via rl0

ipfw -q add 20000 divert 8668 ip from any to any via rl0 (rl0为外网口，在rl0口上启用natd服务）

#创建相应相应通道。
ipfw -q add 30000 pipe 1 icmp from any to any
ipfw -q add 30101 pipe 4 tcp from any to any out

ipfw -q add 65535 allow ip from any to any

ipfw -q pipe 4 config mask dst-ip 0xffffffff bw 100KB/s queue 100Kbytes (匹配通道4里面的 每个目的地IP的带宽 《这儿的上的地IP。因为NAT过后，所以目的IP为内网的IP。》)

以下为ipfw pipe show （运行状态下面的通道显示）
00001: 1.000 Kbit/s 0 ms 10 sl. 1 queues (1 buckets) droptail
mask: 0×00 0×00000000/0×0000 -> 0×00000000/0×0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 icmp 1.1.1.3/0 221.5.203.98/0 16983 12286764 0 0 0
00002: 320.000 Kbit/s 0 ms 20 sl. 1 queues (1 buckets) droptail
mask: 0×00 0×00000000/0×0000 -> 0×00000000/0×0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 1.1.1.3/1035 207.46.193.254/80 386482 352842969 0 0 394
00003: 160.000 Kbit/s 0 ms 30 sl. 1 queues (1 buckets) droptail
mask: 0×00 0×00000000/0×0000 -> 0×00000000/0×0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 192.168.1.15/1236 192.168.1.4/81 42383 40705903 0 0 0
00004: 800.000 Kbit/s 0 ms 100 KB 6 queues (64 buckets) droptail
mask: 0×00 0×00000000/0×0000 -> 0xffffffff/0×0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 ip 0.0.0.0/0 1.1.1.2/0 45 5000 0 0 0
1 ip 0.0.0.0/0 1.1.1.3/0 6924 7229904 17 23793 0
5 ip 0.0.0.0/0 1.1.1.7/0 6978 9792770 14 19293 0
20 ip 0.0.0.0/0 192.168.1.4/0 9706 5759085 0 0 0
32 ip 192.168.1.4/0 0.0.0.0/0 4905 255108 0 0 0
54 ip 192.168.1.15/0 0.0.0.0/0 9804 14703104 0 0 0

运行结果：
Client1:

客户机1

密户机2：

服务端:

first: cd /usr/src/sys/i386/config
cp GENERIC MyKernel

and
vi MyKernel
add options or rm options

如果想要支持IPFirewall功能。需要添加以下一些options

Read entire article.

今天准备让FreeBSD正式上线! 所以需要把系统安装到物理机中， 可是这台机器只有CDROM，而FreeBSD 6.4有3张CD。如果全下来刻盘就太浪费了，且以前我下过DVD版的。所以想通过FTP的方式来安装 。

用3CDaemon搭建了一个FTPserver ,可以系统在安装的时候 就是不能登录！！！
抓包一看，FreeBSD通过FTP方式安装的时候 ，使用的用户名是ftp,密码为installer@hostname

新建一个FTP用户 密码设成它所需要的，

安装就开始跑起来了！！！

options DUMMYNET #dummynet

添加这个！

因今天在重新编释FreeBSD的内核，所以找到此篇文章，先把此文章Copy过来 备份！
稍后 会重新发表一篇我自己的内核编释过程

 
Read entire article.

编释自己的内核并安装后
重启 立马PING同段的机器 结果提示：Permission denied

远程 也不能SSH上去。 为了验证是不是网络问题了

so
ping 127.0.0.1 通了
ssh hostname 通了！

突然想起，我内核中启用了 ipfw，肯定是默认策略的问题

so
ipfw list
果然 里面就一条策略 还是deny any to any

丫丫的！

添加策略吧！！！

我郁闷中

freebsd# ipfw -q add 10 allow all from any to 127.0.0.0/8
ipfw: getsockopt(IP_FW_ADD): Protocol not available

哎，我又要重新编释内核

[ad#ad_article_2]