Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 May 2002 11:58:58 +0300
From:      "Artyom V. Viklenko" <artem@mipk-kspu.kharkov.ua>
To:        Jon Noack <noackjr@compgeek.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: peer-to-peer asymmetric simulation
Message-ID:  <3CF5E9D2.34ACD788@mipk-kspu.kharkov.ua>
References:  <20020530080245.16290.cpmta@c015.snv.cp.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Jon Noack wrote:
> 
> Not with bridging (from http://info.iet.unipi.it/~luigi/ip_dummynet/):
> 
> net.inet.ip.fw.one_pass: 1
>         Forces a single pass through the firewall. If set to 0,
>         packets coming out of a pipe will be reinjected into the
>         firewall starting with the rule after the matching one.
>         NOTE: there is always one pass for bridged packets.

Let's say we have the folowing rules:

100  pipe 1 ip from any to any in
200  allow ........

Rule 100 forward inbound packet to pipe 1. Isn't it?
If net.inet.ip.fw.one_pass=1, this packet after pipe
will never reach rule 200. Or I'am wrong?

But if net.inet.ip.fw.one_pass=0, then it will.

I use this option on our border router/firewall.

The difference is in that the routed packet can pass through ipgw(!)
twice or once,
and bridged only once, but through whole IPFW rule table.

dummynet(4):

    "Depending on the setting
     of the sysctl variable `net.inet.ip.fw.one_pass', packets coming
from a
     pipe can be either forwarded to their destination, or passed again
     through the ipfw rules, starting from the one after the matching
rule."

And:

    "Getting ipfw to work right is not very intuitive, especially when
the
     system is acting as a router or a bridge."

:)


-- 
       Sincerely yours,
                         Artyom V. Viklenko.
======================================================
System Administrator        artem@mipk-kspu.kharkov.ua
------------------------------------------------------
IIAT NTU "KhPI" 21, Frunze Str., Kharkov Ukraine 61002
Phone: +380 (572) 400026        Fax: +380 (572) 474062
======================================================

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CF5E9D2.34ACD788>