Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 14 Jul 2006 12:21:09 +0300
From:      vladone <>
Subject:   Re[2]: IPFW Dummynet Bridge Limiting
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hello Adam,

Thursday, July 13, 2006, 2:37:19 AM, you wrote:

> Vladone,

>         Thanks much for the response. I looked into what you were
> telling me and here are the results:

> 1) This wasn't a typo. Apparently, after looking into it, I've seen both
> options used on different websites and setups. Either way though, I
> checked these both with sysctl and they are both set to 1.

> 2) I missed that part of the man page and thanks for clarifying. This is
> where I get confused. Am I using DIVERT to get packets to the proper
> pipe? If so, then how can I get it to work properly with many many many
> rules (one for each customer IP)? If not, then does this option really
> matter?

> 3) This part I did read and I'm still slightly confused. Once placed
> into the proper pipe, I don't want it to continue down the line of rules
> to search for another match. I like it where it is because it matched
> the IP and should be limited, correct?

> Also, I have tried my setup with the one_pass variable on and off.
> Neither way worked for me anyways.

> Upon further investigation, I noticed when I set up my laptop with the
> address and add the rule to match "all" to the pipe, I lose
> all connectivity. I am unable to ping or pull web pages. Somehow, I
> originally thought the problem was that there was no limiting going on.
> This must be because I had a ping running in the background and had the
> rule set up to limit ip. Now I think what is happening is the packets
> are getting dropped or not arriving at the destination like they're
> supposed to.

> Thanks again.

> Adam

> -----Original Message-----
> From:
> [] On Behalf Of vladone
> Sent: Wednesday, July 12, 2006 3:48 PM
> To:
> Subject: Re: IPFW Dummynet Bridge Limiting

> Hello Adam,

> I dont't use it bridge but some thinks that can help u:
>  1. use corect syctl variables form:
>  instead (probably an wrong typing)
>  2. read the end from man page about bridge, and
>  net.inet.ip.fw.one_pass variable.
>  "Also remember that bridged packets are accepted after the first pass
>      through the firewall irrespective of the setting of the sysctl
> variable
>      net.inet.ip.fw.one_pass, and that some ipfw(8) actions such as
> divert do
>      not apply to bridged packets.  It might be useful to have a rule of
> the
>      form

>            skipto 20000 ip from any to any bridged
>  "

>  3. Luigi Rizzo say in his
>  documentation: "there is always one pass for bridged packets"
 First: if u want to apply aan queue or pipe, for many IP's, u can use option mask
 in pipe or queue. U can get examples about that in dummynet
 For bridge, try to use "bridge" option in ipfw rules, to match packtets
 that are bridged.
 If u want to pass packetes across multiple pipe or queue, then need
 to set net.inet.ip.fw.one_pass=0
 For clients that have public IP's, natd have an option to not
 translate this adresses.
 Begin with very simple rules, without any pipe or queue, only count
 option, and see what is happening. Then grow complexity, in this mode
 u can find where u wrong.

Best regards,

Want to link to this message? Use this URL: <>