From owner-freebsd-isp@FreeBSD.ORG  Fri Sep 24 10:03:29 2004
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E9FE916A4CE
	for <freebsd-isp@freebsd.org>; Fri, 24 Sep 2004 10:03:28 +0000 (GMT)
Received: from smtp4.wlink.com.np (smtp4.wlink.com.np [202.79.32.87])
	by mx1.FreeBSD.org (Postfix) with SMTP id 1D03943D41
	for <freebsd-isp@freebsd.org>; Fri, 24 Sep 2004 10:03:25 +0000 (GMT)
	(envelope-from bikrant_ml@wlink.com.np)
Received: (qmail 65787 invoked from network); 24 Sep 2004 10:03:19 -0000
Received: from unknown (HELO qmail-scanner.wlink.com.np) (202.79.32.74)
  by 0 with SMTP; 24 Sep 2004 10:03:19 -0000
Received: (qmail 51682 invoked by uid 1008); 24 Sep 2004 10:03:18 -0000
Received: from bikrant_ml@wlink.com.np by qmail-scanner.wlink.com.np by uid
	1002 with qmail-scanner-1.20 
	(clamscan: 0.60.  Clear:RC:1(202.79.32.77):. 
	Processed in 0.061565 secs); 24 Sep 2004 10:03:18 -0000
Received: from smtp2.wlink.com.np (202.79.32.77)
  by qmail-scanner.wlink.com.np with SMTP; 24 Sep 2004 10:03:18 -0000
Received: (qmail 20511 invoked by uid 516); 24 Sep 2004 10:03:18 -0000
Received: from [202.79.36.168] (HELO bikrant.org.np) by smtp2.wlink.com.np
	(qmail-smtpd) with SMTP; 24 Sep 2004 10:03:17 -0000 (Fri, 24 Sep 2004 15:48:17
	+0545)
From: Bikrant Neupane <bikrant_ml@wlink.com.np>
To: dima <_pppp@mail.ru>
Date: Fri, 24 Sep 2004 15:48:13 +0545
User-Agent: KMail/1.7
References: <20040923091609.K60082-100000@tyberius.abccom.bc.ca>
	<200409241205.53812.bikrant_ml@wlink.com.np> <1096018919.654.3.camel@pppp>
In-Reply-To: <1096018919.654.3.camel@pppp>
MIME-Version: 1.0
Content-Type: text/plain;  charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200409241548.14313.bikrant_ml@wlink.com.np>
X-Spam-Check-By: smtp2.wlink.com.np
Spam: No ; -4.9 / 5.0
X-Spam-Status: No, hits=-4.9 required=5.0
cc: freebsd-isp@freebsd.org
cc: freebsd-questions@freebsd.org
Subject: Re: Ipfw accept rule
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2004 10:03:29 -0000

On Friday 24 September 2004 15:26, dima wrote:
> =F7 =D0=D4, 24.09.2004, =D7 10:20, Bikrant Neupane =D0=C9=DB=C5=D4:
> > On Thursday 23 September 2004 22:29, Jon Simola wrote:
> > > On Thu, 23 Sep 2004, Bikrant Neupane wrote:
> > > > Here is my rule set:
> > > >
> > > > #skip dependind the pkt layer
> > > > 01000   322    14780 skipto 10000 ip from any to any layer2 in via
> > > > xl0 01100   200    93204 skipto 20000 ip from any to any not layer2
> > > >
> > > > #rule num 10000 to 20000 allocated for layer2 filtering
> > > > #for mac filter: allow only listed mac to send traffic
> > > > 10000    39     1780 allow ip from any to any MAC any
> > > > 00:00:0e:84:00:83 in via xl0
> > > > #default deny all mac coming in from xl0
> > > > 19997   284    13046 deny ip from any to any MAC any any in via xl0
> > >
> > > If this is layer2 filtering, where are the layer2 tags in the ipfw
> > > rule? And if this is the extent of your layer 2, then don't forget an
> > > allow/deny default for layer2 packets (allow ip from any to any
> > > layer2). Also, you're only checking your layer2 on a specific
> > > interface, perhaps you only have one.
> > >
> > > I've got something like:
> > > 00010 skipto 32000 ip from any to any not layer2
> > > 00050 deny ip from any to any MAC any 00:30:da:00:00:00/24 layer2 in
> > > 00055 count ip from any to any MAC any 00:0b:db:1d:63:56 layer2 in //
> > > sniffing for traffic 03100 allow ip from any to any layer2
> > > // bandwidth monitoring pipes
> > > 32003 pipe 3 ip from any to any src-ip 10.10.66.0/24 in recv em1
> > > 32004 pipe 4 ip from any to any dst-ip 10.10.66.0/24 out xmit em1
> > > 65534 allow ip from any to any
> > > 65535 deny ip from any to any
> >
> > Well, I have no problem with the MAC filtering rules.
> > Only problem that I am having is that the pkts hit the matching rule
> > twice as a result I get only half of the b/w than that specified in ipfw
> > pipe command.
> >
> >
> > 35004   324   485880 pipe 202 ip from any to 202.79.45.254 out via xl0
> > 35005   302    12080 pipe 203 ip from 202.79.45.254 to any out via em0
> >
> > Isn't there a way to construct rules such that matching pkts hit the ru=
le
> > only once?
>
> $ man ipfw
> [skip]
> pipe pipe_nr
>     Pass packet to a dummynet(4) ``pipe'' (for bandwidth limitation,
>     delay, etc.).  See the TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
>     Section for further information.  The search terminates; however,
>     on exit from the pipe and if the sysctl(8) variable
>     net.inet.ip.fw.one_pass is not set, the packet is passed again to
>     the firewall code starting from the next rule.
> [skip]
# sysctl -a net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: 1
It is by default 1.

I tried with 0 as well

Bikrant

> $