Date: Fri, 24 Sep 2004 15:48:13 +0545 From: Bikrant Neupane <bikrant_ml@wlink.com.np> To: dima <_pppp@mail.ru> Cc: freebsd-questions@freebsd.org Subject: Re: Ipfw accept rule Message-ID: <200409241548.14313.bikrant_ml@wlink.com.np> In-Reply-To: <1096018919.654.3.camel@pppp> References: <20040923091609.K60082-100000@tyberius.abccom.bc.ca> <200409241205.53812.bikrant_ml@wlink.com.np> <1096018919.654.3.camel@pppp>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 24 September 2004 15:26, dima wrote: > =F7 =D0=D4, 24.09.2004, =D7 10:20, Bikrant Neupane =D0=C9=DB=C5=D4: > > On Thursday 23 September 2004 22:29, Jon Simola wrote: > > > On Thu, 23 Sep 2004, Bikrant Neupane wrote: > > > > Here is my rule set: > > > > > > > > #skip dependind the pkt layer > > > > 01000 322 14780 skipto 10000 ip from any to any layer2 in via > > > > xl0 01100 200 93204 skipto 20000 ip from any to any not layer2 > > > > > > > > #rule num 10000 to 20000 allocated for layer2 filtering > > > > #for mac filter: allow only listed mac to send traffic > > > > 10000 39 1780 allow ip from any to any MAC any > > > > 00:00:0e:84:00:83 in via xl0 > > > > #default deny all mac coming in from xl0 > > > > 19997 284 13046 deny ip from any to any MAC any any in via xl0 > > > > > > If this is layer2 filtering, where are the layer2 tags in the ipfw > > > rule? And if this is the extent of your layer 2, then don't forget an > > > allow/deny default for layer2 packets (allow ip from any to any > > > layer2). Also, you're only checking your layer2 on a specific > > > interface, perhaps you only have one. > > > > > > I've got something like: > > > 00010 skipto 32000 ip from any to any not layer2 > > > 00050 deny ip from any to any MAC any 00:30:da:00:00:00/24 layer2 in > > > 00055 count ip from any to any MAC any 00:0b:db:1d:63:56 layer2 in // > > > sniffing for traffic 03100 allow ip from any to any layer2 > > > // bandwidth monitoring pipes > > > 32003 pipe 3 ip from any to any src-ip 10.10.66.0/24 in recv em1 > > > 32004 pipe 4 ip from any to any dst-ip 10.10.66.0/24 out xmit em1 > > > 65534 allow ip from any to any > > > 65535 deny ip from any to any > > > > Well, I have no problem with the MAC filtering rules. > > Only problem that I am having is that the pkts hit the matching rule > > twice as a result I get only half of the b/w than that specified in ipfw > > pipe command. > > > > > > 35004 324 485880 pipe 202 ip from any to 202.79.45.254 out via xl0 > > 35005 302 12080 pipe 203 ip from 202.79.45.254 to any out via em0 > > > > Isn't there a way to construct rules such that matching pkts hit the ru= le > > only once? > > $ man ipfw > [skip] > pipe pipe_nr > Pass packet to a dummynet(4) ``pipe'' (for bandwidth limitation, > delay, etc.). See the TRAFFIC SHAPER (DUMMYNET) CONFIGURATION > Section for further information. The search terminates; however, > on exit from the pipe and if the sysctl(8) variable > net.inet.ip.fw.one_pass is not set, the packet is passed again to > the firewall code starting from the next rule. > [skip] # sysctl -a net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 1 It is by default 1. I tried with 0 as well Bikrant > $
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409241548.14313.bikrant_ml>