Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 15 Aug 2004 13:57:30 -0700
From:      Fargo Holiday <galaxy.ranger@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   Re: [FreeBSD 5.2] Bandwith and packet throttling
Message-ID:  <4a1299a4040815135735626471@mail.gmail.com>
In-Reply-To: <20040815191905.GC43915@shellma.zin.lublin.pl>
References:  <4a1299a404081414287a9ecbc@mail.gmail.com> <20040815104243.GA43915@shellma.zin.lublin.pl> <4a1299a4040815113178caa332@mail.gmail.com> <20040815191905.GC43915@shellma.zin.lublin.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
Thank you greatly everyone, derision aside, and especially Pawel. 
The deny loopback is strange, I assume my roommate put that in there
or it is a strange default rule.

And, to be honest, when I looked at the man page, I didn't see any
indication that a successful rule match halted the pattern search, and
in fact the last firewall/routing solution I used was some bastard
piece of software running a Solaris machine. I don't recall the name
of it, but let's just say the experience doesn't carry over to this
layout. Here is what I saw in the man page, and why it didn't occur to
me that the rule placement was important:

"An ipfw configuration, or ruleset, is made of a list of rules numbered
     from 1 to 65535.  Packets are passed to ipfw from a number of different
     places in the protocol stack (depending on the source and destination of
     the packet, it is possible that ipfw is invoked multiple times on the
     same packet).  The packet passed to the firewall is compared against each
     of the rules in the firewall ruleset.  When a match is found, the action
     corresponding to the matching rule is performed."

and a little later:

" Also note that each packet is always checked against the complete rule-
     set, irrespective of the place where the check occurs, or the source of
     the packet."

Though I did initially overlook this part:

"Depending on the action and certain system settings, packets can be rein-
     jected into the firewall at some rule after the matching one for further
     processing."

Which vaguely implys such a thing, I never came across a section that
mentioned this behavior of exiting after a match.

Anyway, thanks again y'all, I truly appreciate it.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4a1299a4040815135735626471>