From owner-freebsd-questions@FreeBSD.ORG Fri Apr 23 04:32:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E882B16A4CE for ; Fri, 23 Apr 2004 04:32:26 -0700 (PDT) Received: from smtp11.wxs.nl (smtp11.wxs.nl [195.121.6.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EF9843D5A for ; Fri, 23 Apr 2004 04:32:26 -0700 (PDT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp11.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTP id <0HWM007E6G04Y8@smtp11.wxs.nl> for freebsd-questions@freebsd.org; Fri, 23 Apr 2004 13:31:17 +0200 (MEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i3NBVCLj069115; Fri, 23 Apr 2004 13:31:12 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i3NBVAtD069114; Fri, 23 Apr 2004 13:31:10 +0200 Content-return: prohibited Date: Fri, 23 Apr 2004 13:31:10 +0200 From: Alex de Kruijff In-reply-to: To: Marcelo Pinheiro Message-id: <20040423113110.GC24076@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <20040422190101.B04F216A4CE@hub.freebsd.org> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: freebsd-questions@freebsd.org Subject: Re: Dummynet+Firewall+One_pass question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2004 11:32:27 -0000 On Thu, Apr 22, 2004 at 04:25:53PM -0300, Marcelo Pinheiro wrote: > Hi, > > I am very new to FreeBSD, and I have a quite simple question: How does IPFW > work when I use PIPES, divert and some other Firewall rules? > What does net.inet.ip.fw.one_pass mean? For instance, if I use a pipe before > a divert with one_pass set to 1, the packet passes through the pipe, but > does not pass through the divert and that makes total sense. However if I > set one_pass to 1 and set the pipe after the divert using the internal IP > address ( RFC 1918 ) it works.... that does not make any sense, at least to > me. :) man ipfw gives me: pipe pipe_nr Pass packet to a dummynet(4) ``pipe'' (for bandwidth limitation, delay, etc.). See the TRAFFIC SHAPER (DUMMYNET) CONFIGURATION Section for further information. The search terminates; however, on exit from the pipe and if the sysctl(8) variable net.inet.ip.fw.one_pass is not set, the packet is passed again to the firewall code starting from the next rule. > Here are some sample rules: > > # INTERNAL NETWORK > ${fwcmd} pipe 1000 config bw 1024Kbit/s > ${fwcmd} pipe 1001 config bw 1024Kbit/s > > ${fwcmd} add divert natd all from 10.0.0.0/8 to any > ${fwcmd} add divert natd all from any to 200.x.x.x > > ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any > ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8 > > If I set the way above, it works fine, even if the one_pass is set to 1 ( > one ). The divert changes the packet header to my external IP, and my real > question is: How in the world the pipe works if the header is changed to > 200, instead of 10? > > THIS WAY IT DOES NOT WORK WITH ONE_PASS SET TO 1, it passes through the > pipe, but does not pass through the divert: > > # INTERNAL NETWORK > ${fwcmd} pipe 1000 config bw 1024Kbit/s > ${fwcmd} pipe 1001 config bw 1024Kbit/s > > ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any > ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8 > > ${fwcmd} add divert natd all from 10.0.0.0/8 to any > ${fwcmd} add divert natd all from any to 200.x.x.x > > I deeply appreciate any ideas. Thats because the packes that meet the pipe rules are also allowed and thus never meet the divert rule. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/