Re: Ipfw accept rule
From: dima (_pppp_at_mail.ru)
Date: 09/24/04
- Previous message: Peter Risdon: "Re: Linux program and serial port (5.2.1)"
- In reply to: Bikrant Neupane: "Re: Ipfw accept rule"
- Next in thread: Bikrant Neupane: "Re: Ipfw accept rule"
- Reply: Bikrant Neupane: "Re: Ipfw accept rule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Bikrant Neupane <bikrant_ml@wlink.com.np> Date: Fri, 24 Sep 2004 13:41:59 +0400
÷ ÐÔ, 24.09.2004, × 10:20, Bikrant Neupane ÐÉÛÅÔ:
> On Thursday 23 September 2004 22:29, Jon Simola wrote:
> > On Thu, 23 Sep 2004, Bikrant Neupane wrote:
> > > Here is my rule set:
> > >
> > > #skip dependind the pkt layer
> > > 01000 322 14780 skipto 10000 ip from any to any layer2 in via xl0
> > > 01100 200 93204 skipto 20000 ip from any to any not layer2
> > >
> > > #rule num 10000 to 20000 allocated for layer2 filtering
> > > #for mac filter: allow only listed mac to send traffic
> > > 10000 39 1780 allow ip from any to any MAC any 00:00:0e:84:00:83
> > > in via xl0
> > > #default deny all mac coming in from xl0
> > > 19997 284 13046 deny ip from any to any MAC any any in via xl0
> >
> > If this is layer2 filtering, where are the layer2 tags in the ipfw rule?
> > And if this is the extent of your layer 2, then don't forget an allow/deny
> > default for layer2 packets (allow ip from any to any layer2). Also, you're
> > only checking your layer2 on a specific interface, perhaps you only have
> > one.
> >
> > I've got something like:
> > 00010 skipto 32000 ip from any to any not layer2
> > 00050 deny ip from any to any MAC any 00:30:da:00:00:00/24 layer2 in
> > 00055 count ip from any to any MAC any 00:0b:db:1d:63:56 layer2 in //
> > sniffing for traffic 03100 allow ip from any to any layer2
> > // bandwidth monitoring pipes
> > 32003 pipe 3 ip from any to any src-ip 10.10.66.0/24 in recv em1
> > 32004 pipe 4 ip from any to any dst-ip 10.10.66.0/24 out xmit em1
> > 65534 allow ip from any to any
> > 65535 deny ip from any to any
> >
> Well, I have no problem with the MAC filtering rules.
> Only problem that I am having is that the pkts hit the matching rule twice as
> a result I get only half of the b/w than that specified in ipfw pipe command.
>
>
> 35004 324 485880 pipe 202 ip from any to 202.79.45.254 out via xl0
> 35005 302 12080 pipe 203 ip from 202.79.45.254 to any out via em0
>
> Isn't there a way to construct rules such that matching pkts hit the rule only
> once?
$ man ipfw
[skip]
pipe pipe_nr
Pass packet to a dummynet(4) ``pipe'' (for bandwidth limitation,
delay, etc.). See the TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
Section for further information. The search terminates; however,
on exit from the pipe and if the sysctl(8) variable
net.inet.ip.fw.one_pass is not set, the packet is passed again to
the firewall code starting from the next rule.
[skip]
$
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Peter Risdon: "Re: Linux program and serial port (5.2.1)"
- In reply to: Bikrant Neupane: "Re: Ipfw accept rule"
- Next in thread: Bikrant Neupane: "Re: Ipfw accept rule"
- Reply: Bikrant Neupane: "Re: Ipfw accept rule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
