From owner-freebsd-ipfw Thu May 30 2: 0: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.mipk-kspu.kharkov.ua (flash.mipk-kspu.kharkov.ua [194.44.157.113]) by hub.freebsd.org (Postfix) with ESMTP id C903637B400 for ; Thu, 30 May 2002 01:59:57 -0700 (PDT) Received: from mipk-kspu.kharkov.ua (rainbow.mipk-kspu.kharkov.ua [192.168.9.241]) by mail.mipk-kspu.kharkov.ua (8.12.3/8.11.1) with ESMTP id g4U8wxoD058666; Thu, 30 May 2002 11:59:00 +0300 (EEST) (envelope-from artem@mipk-kspu.kharkov.ua) Message-ID: <3CF5E9D2.34ACD788@mipk-kspu.kharkov.ua> Date: Thu, 30 May 2002 11:58:58 +0300 From: "Artyom V. Viklenko" Organization: IIAT NTU "KhPI" X-Mailer: Mozilla 4.78 [en] (WinNT; U) X-Accept-Language: ru,uk,en MIME-Version: 1.0 To: Jon Noack Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: peer-to-peer asymmetric simulation References: <20020530080245.16290.cpmta@c015.snv.cp.net> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jon Noack wrote: > > Not with bridging (from http://info.iet.unipi.it/~luigi/ip_dummynet/): > > net.inet.ip.fw.one_pass: 1 > Forces a single pass through the firewall. If set to 0, > packets coming out of a pipe will be reinjected into the > firewall starting with the rule after the matching one. > NOTE: there is always one pass for bridged packets. Let's say we have the folowing rules: 100 pipe 1 ip from any to any in 200 allow ........ Rule 100 forward inbound packet to pipe 1. Isn't it? If net.inet.ip.fw.one_pass=1, this packet after pipe will never reach rule 200. Or I'am wrong? But if net.inet.ip.fw.one_pass=0, then it will. I use this option on our border router/firewall. The difference is in that the routed packet can pass through ipgw(!) twice or once, and bridged only once, but through whole IPFW rule table. dummynet(4): "Depending on the setting of the sysctl variable `net.inet.ip.fw.one_pass', packets coming from a pipe can be either forwarded to their destination, or passed again through the ipfw rules, starting from the one after the matching rule." And: "Getting ipfw to work right is not very intuitive, especially when the system is acting as a router or a bridge." :) -- Sincerely yours, Artyom V. Viklenko. ====================================================== System Administrator artem@mipk-kspu.kharkov.ua ------------------------------------------------------ IIAT NTU "KhPI" 21, Frunze Str., Kharkov Ukraine 61002 Phone: +380 (572) 400026 Fax: +380 (572) 474062 ====================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message