From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 12 23:37:21 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDD1C16A4DD for ; Wed, 12 Jul 2006 23:37:21 +0000 (UTC) (envelope-from adamt@commspeed.net) Received: from es1.corp.commspeed.net (es1.corp.commspeed.net [216.19.2.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79AED43D46 for ; Wed, 12 Jul 2006 23:37:21 +0000 (GMT) (envelope-from adamt@commspeed.net) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 12 Jul 2006 16:37:19 -0700 Message-ID: <48DC429CB053B64EAD91BDD1DE106A11675DE6@es1.corp.commspeed.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW Dummynet Bridge Limiting Thread-Index: AcamCKO7OnOu5WbHS4+Rf18Xu3YaZwAAK6bw From: "Adam M. Towarnyckyj" To: Cc: Subject: RE: IPFW Dummynet Bridge Limiting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jul 2006 23:37:21 -0000 Vladone, Thanks much for the response. I looked into what you were telling me and here are the results: 1) This wasn't a typo. Apparently, after looking into it, I've seen both options used on different websites and setups. Either way though, I checked these both with sysctl and they are both set to 1. 2) I missed that part of the man page and thanks for clarifying. This is where I get confused. Am I using DIVERT to get packets to the proper pipe? If so, then how can I get it to work properly with many many many rules (one for each customer IP)? If not, then does this option really matter? 3) This part I did read and I'm still slightly confused. Once placed into the proper pipe, I don't want it to continue down the line of rules to search for another match. I like it where it is because it matched the IP and should be limited, correct? Also, I have tried my setup with the one_pass variable on and off. Neither way worked for me anyways. Upon further investigation, I noticed when I set up my laptop with the 216.19.50.37 address and add the rule to match "all" to the pipe, I lose all connectivity. I am unable to ping or pull web pages. Somehow, I originally thought the problem was that there was no limiting going on. This must be because I had a ping running in the background and had the rule set up to limit ip. Now I think what is happening is the packets are getting dropped or not arriving at the destination like they're supposed to. Thanks again. Adam -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of vladone Sent: Wednesday, July 12, 2006 3:48 PM To: ipfw@freebsd.org Subject: Re: IPFW Dummynet Bridge Limiting Hello Adam, I dont't use it bridge but some thinks that can help u: 1. use corect syctl variables form: net.link.ether.bridge.ipfw instead net.link.ether.bridge_ipfw (probably an wrong typing) 2. read the end from man page about bridge, and net.inet.ip.fw.one_pass variable. "Also remember that bridged packets are accepted after the first pass through the firewall irrespective of the setting of the sysctl variable net.inet.ip.fw.one_pass, and that some ipfw(8) actions such as divert do not apply to bridged packets. It might be useful to have a rule of the form skipto 20000 ip from any to any bridged " 3. Luigi Rizzo say in his documentation: "there is always one pass for bridged packets" --=20 Best regards, vladone mailto:vladone@spaingsm.com _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"