Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Aug 2003 12:54:34 +0200
From:      Socketd <>
Subject:   ipfw newbie
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

I am setting up a gateway for a friend and he want it to firewall and
traffic shape.

The network:
Router (running NAT and PPP)
 |(no ip)
Gateway (FreeBSD 5.1, ipfw + dummynet and DHCP to the LAN)
 |( to the LAN and to the DMZ)
 | \
 |  DMZ(

I have been asking around wether I should NAT the DMZ. People had
different opinions on that and I chose to NAT it.
Now what I want is:

Allow all traffic _from_ LAN and DMZ and out. Also allow all traffic
between the two.

DMZ traffic should have 100 times the weight of LAN traffic.

So I was thinking if this maybe right? (I can't test the firewall before
returning it, so the configuration have to be correct):

//Give DMZ 100 times more weight than LAN
pipe 10 config bw 512Kbit/s
pipe 20 config bw 2Mbit/s

add pipe 10 ip from any to any out
add pipe 20 ip from any to any in

queue 100 config pipe 10 weight 100
queue 200 config pipe 20 weight 100
queue 300 config pipe 10 weight 1
queue 400 config pipe 20 weight 1

//rl1 is the NIC to the router (rl0 = LAN, de0 = DMZ)
add queue 100 ip from to any out via rl1	
add queue 200 ip from any to in via rl1
add queue 300 ip from to any out via rl1
add queue 400 ip from any to in via rl1

//Allow all traffic _from_ LAN and DMZ
add allow all from to any

//Here I will specify what traffic to allow to the DMZ

//And I want this at the end:
deny all from any to any

And then set net.inet.ip.fw.one_pass: 0

Is this about right? And is it "normal" to place the firewalling rules
after the pipes?

Hope someone will help.

btw please cc to me as I am not on the list.


Want to link to this message? Use this URL: <>