Date: Thu, 13 Feb 2003 11:23:16 +0200 (EET) From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua> To: Andrea Venturoli <ml.ventu@flashnet.it> Cc: freebsd-net@freebsd.org Subject: Re: ipfw: count=pass? Message-ID: <200302130923.h1D9NGrH000377@pm514-9.comsys.ntu-kpi.kiev.ua> In-Reply-To: <200302121602.h1CG2n4h002384@soth.ventu.lucky.freebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Feb 2003 16:02:37 +0000 (UTC) in lucky.freebsd.net, Andrea Venturoli wrote: > Hello! > I've tried to block users from surfing the web, once they have moved > a certain amount of traffic per week. I put a series of "count" rules > in ipfw and let cron call a script every 5 minutes to read the > associeted byte counter and possibly insert "deny" rules *after* the > count rules. There is ports/sysutils/ipa for such kind of work. > The problem is that the traffic still goes through: the counters of the > deny rules are all 0, as though they were never reached. > ipfw's manual page states that after a count the packet goes ahead in > the rule chain as if nothing has happened, but at this points I'm > beginning to wonder wether this is true or wether the count rules also > allow traffic through as if they were "pass". > This on FreeBSD 4.7-p3. > If the counter of some IPFW rule is always 0, then this means that this rule is not reached (you are right here). After "count" rule the search continues with the next rule (with the same number or with the next number, at least this is true for IPFW1, check it). You should find "allow" rule before "deny" rule which allows some traffic. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302130923.h1D9NGrH000377>