Re: Ipfw accept rule
From: Bikrant Neupane (bikrant_ml_at_wlink.com.np)
Date: 09/23/04
- Previous message: Per Engelbrecht: "RE: funny customers"
- In reply to: David Atkinson: "Re: Ipfw accept rule"
- Next in thread: Jon Simola: "Re: Ipfw accept rule"
- Reply: Jon Simola: "Re: Ipfw accept rule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: freebsd-isp@freebsd.org Date: Thu, 23 Sep 2004 13:36:57 +0545
Thanks for the reply.
Well I am not looking for the count rule.
Actually I have some other situation. I am trying to implement b/w shaping
using ipfw. And i am trying to include mac address based filtering in it as
well. As long as I don't implement ipfw in ether (net.link.ether.ipfw=0/1)
pkts hit the rule only once and I get the b/w as specified in the IPFW pipe
syntax. However when I enable ipfw in ether all the pkts hits the matching
rule twice. and as a result I get half of the b/w to what has been specified
in ipfw pipe.
This is normal (as mentiontioned in ipfw man page) since pkt traversal is
doubled when IPFW is enabed in ether.
Any way I can get the desired output by multiplyin/dividing the b/w value by
2. But that won't look neat :)
Here is my rule set:
#skip dependind the pkt layer
01000 322 14780 skipto 10000 ip from any to any layer2 in via xl0
01100 200 93204 skipto 20000 ip from any to any not layer2
#rule num 10000 to 20000 allocated for layer2 filtering
#for mac filter: allow only listed mac to send traffic
10000 39 1780 allow ip from any to any MAC any 00:00:0e:84:00:83 in via
xl0
#default deny all mac coming in from xl0
19997 284 13046 deny ip from any to any MAC any any in via xl0
#rule above 20,000 alocated for !layer2 filtering
#general firewall rule
20100 0 0 allow ip from any to any via lo0
20150 72 6448 allow ip from me to any out
20200 75 45356 count ip from any to any in via em0
20250 56 2240 count ip from any to any out via em0
#traffic shaping
35000 0 0 pipe 200 ip from any to 202.79.45.253 out via xl0
35001 0 0 pipe 201 ip from 202.79.45.253 to any out via em0
35002 0 0 allow ip from any to 202.79.45.253
35003 0 0 allow ip from 202.79.45.253 to any
35004 324 485880 pipe 202 ip from any to 202.79.45.254 out via xl0
35005 302 12080 pipe 203 ip from 202.79.45.254 to any out via em0
35006 163 244440 allow ip from any to 202.79.45.254
35007 151 6040 allow ip from 202.79.45.254 to any
#default deny
65530 25 1138 deny log ip from any to any
65535 29604 21352015 allow ip from any to any
regards,
Bikrant
On Thursday 23 September 2004 13:01, David Atkinson wrote:
> Are you looking for something like count? The whole idea of an allow rule
> is that once it matches it is assumed that you actually do want that
> packet and there is no point continuing through the ruleset. If you want
> to have a general allow rule with a few specific exclusions, add one or
> two deny rules for the specific cases and then have your more general
> allow rule. One problem that does occur with this plan is that it becomes
> very easy to overload your server with lots of rarely matched deny rules.
> If you find the time in interupt going too high look at constructing some
> blocks of rules and setup some skipto rules. In the case of blocking
> (firewalling off) well known sources of spam, a lot of rules can be
> generated very quickly. As these only apply to port 25 traffic, as skipto
> can be used to skip these rules for all other traffic.
>
> 1000 skipto 2000 tcp from any to any 25
> 1100 skipto 4000 ip from any to any
> 2000 deny ip from spammer.com to any
> ...
>
> HTH,
> David Atkinson
>
> On Thu, 23 Sep 2004, Bikrant Neupane wrote:
> > Hi,
> > When a packet hits "allow | accept | pass | permit" rule the packet is
> > accepted and the search is retiminated at that point.
> >
> > I need to accept the packet but still want the packet to continue travers
> > rules further below. However, once it hits "deny | drop" rule it should
> > be dropped and the search should terminate at that point. Is that
> > possible with IPFW?
> >
> > regards,
> > Bikrant
> >
> >
> > _______________________________________________
> > freebsd-isp@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Per Engelbrecht: "RE: funny customers"
- In reply to: David Atkinson: "Re: Ipfw accept rule"
- Next in thread: Jon Simola: "Re: Ipfw accept rule"
- Reply: Jon Simola: "Re: Ipfw accept rule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
