Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Jul 2006 16:37:19 -0700
From:      "Adam M. Towarnyckyj" <>
To:        <>
Subject:   RE: IPFW Dummynet Bridge Limiting
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

	Thanks much for the response. I looked into what you were
telling me and here are the results:

1) This wasn't a typo. Apparently, after looking into it, I've seen both
options used on different websites and setups. Either way though, I
checked these both with sysctl and they are both set to 1.

2) I missed that part of the man page and thanks for clarifying. This is
where I get confused. Am I using DIVERT to get packets to the proper
pipe? If so, then how can I get it to work properly with many many many
rules (one for each customer IP)? If not, then does this option really

3) This part I did read and I'm still slightly confused. Once placed
into the proper pipe, I don't want it to continue down the line of rules
to search for another match. I like it where it is because it matched
the IP and should be limited, correct?

Also, I have tried my setup with the one_pass variable on and off.
Neither way worked for me anyways.

Upon further investigation, I noticed when I set up my laptop with the address and add the rule to match "all" to the pipe, I lose
all connectivity. I am unable to ping or pull web pages. Somehow, I
originally thought the problem was that there was no limiting going on.
This must be because I had a ping running in the background and had the
rule set up to limit ip. Now I think what is happening is the packets
are getting dropped or not arriving at the destination like they're
supposed to.

Thanks again.


-----Original Message-----
[] On Behalf Of vladone
Sent: Wednesday, July 12, 2006 3:48 PM
Subject: Re: IPFW Dummynet Bridge Limiting

Hello Adam,

I dont't use it bridge but some thinks that can help u:
 1. use corect syctl variables form:
 instead (probably an wrong typing)
 2. read the end from man page about bridge, and
 net.inet.ip.fw.one_pass variable.
 "Also remember that bridged packets are accepted after the first pass
     through the firewall irrespective of the setting of the sysctl
     net.inet.ip.fw.one_pass, and that some ipfw(8) actions such as
divert do
     not apply to bridged packets.  It might be useful to have a rule of

           skipto 20000 ip from any to any bridged

 3. Luigi Rizzo say in his
 documentation: "there is always one pass for bridged packets"

Best regards,

_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Want to link to this message? Use this URL: <>