From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 14 05:42:25 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 156F216A4CE for ; Sun, 14 Dec 2003 05:42:25 -0800 (PST) Received: from relay04.connectit.co.za (relay04.connectit.co.za [196.14.84.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4916D43D31 for ; Sun, 14 Dec 2003 05:42:22 -0800 (PST) (envelope-from cole@acenet.co.za) Received: from amavis by relay04.connectit.co.za with scanned-ok (Exim 4.05) id 1AVWVn-0005Qk-00 for freebsd-ipfw@freebsd.org; Sun, 14 Dec 2003 15:42:19 +0200 Received: from acenet.co.za ([196.25.152.246]) by relay04.connectit.co.za with esmtp (Exim 4.05) id 1AVWVn-0005Qa-00 for freebsd-ipfw@freebsd.org; Sun, 14 Dec 2003 15:42:19 +0200 Date: Sun, 14 Dec 2003 15:52:25 +0200 Message-Id: <200312141552.AA467796450@acenet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Cole" To: X-Mailer: X-Virus-Scanned: by AMaViS snapshot-20020300 Subject: Queue and rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cole@acenet.co.za List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 13:42:25 -0000 Hi I have setup the following queues and pipes.#pipes $fwcmd pipe 1 config bw 3kbyte/s queue 0.5kbyte $fwcmd pipe 2 config bw 128kbits/s queue 5Kbyte #outgoing $fwcmd pipe 3 config bw 128kbits/s queue 5Kbyte #incoming $fwcmd pipe 4 config bw 64kbits/s queue 5Kbyte #outgoing $fwcmd pipe 5 config bw 64kbits/s queue 5Kbyte #incoming #queues $fwcmd queue 1 config pipe 2 weight 100 queue 10 #outgoing $fwcmd queue 2 config pipe 2 weight 50 queue 10 #outgoing $fwcmd queue 3 config pipe 3 weight 100 queue 10 #incoming $fwcmd queue 4 config pipe 3 weight 50 queue 10 #incoming I have also added the following 2 rules using the queues 1 and 3. 00202 queue 1 tcp from me to 196.34.*.* out via tun0 00203 queue 3 tcp from 196.34.*.* to me in via tun0 I put the *'s in just privacy sake, i have the full ip entered in the rules. Now i wanted to block certain ports like ssh to or from that ip. I added the rule below rules 202 and 203, and no matter if i specify, deny all, deny tcp and the port, i can still get to those ports. I.e. if i add "ipfw add 205 deny tcp from me to 196.34.*.* 22" it will still allow me to connect. I was wondering if its cause of the queue rules matching first and not bothering to check the rest. If this is the problem how do i do bandwidth shaping and then still use blocking/deny rules below those queue rules. Of if there is another problem that im not seeing or missing, or a solution that you know might work, please let me know. Im not subscribed to the mailing list so please reply to cole@acenet.co.za . Thanx /Cole