From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 14 05:50:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5990C16A4CE for ; Sun, 14 Dec 2003 05:50:06 -0800 (PST) Received: from apollo.laserfence.net (apollo.laserfence.net [196.44.69.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5AF143D2D for ; Sun, 14 Dec 2003 05:50:02 -0800 (PST) (envelope-from will@unfoldings.net) Received: from [127.0.0.1] (helo=localhost) by apollo.laserfence.net with esmtp (Exim 4.24; FreeBSD) id 1AVWdD-00029t-LO; Sun, 14 Dec 2003 15:49:59 +0200 Received: from apollo.laserfence.net ([127.0.0.1]) by localhost (apollo.laserfence.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04027-10; Sun, 14 Dec 2003 15:49:42 +0200 (SAST) Received: from [192.168.255.1] (helo=prometheus.home.laserfence.net) by apollo.laserfence.net with esmtp (Exim 4.24; FreeBSD) id 1AVWcu-00029g-7b; Sun, 14 Dec 2003 15:49:41 +0200 Received: from arista.home.laserfence.net ([192.168.0.10] helo=arista) by prometheus.home.laserfence.net with smtp (Exim 4.10) id 1AVWcr-0009C7-00; Sun, 14 Dec 2003 15:49:37 +0200 Message-ID: <008e01c3c249$27604e90$0a00a8c0@arista> From: "Willie Viljoen" To: , Date: Sun, 14 Dec 2003 15:49:54 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by amavisd-new at laserfence.net Subject: Re: Queue and rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 13:50:06 -0000 Sorry, that should have been: sysctl net.inet.ip.fw.one_pass=0 Also, to make it stick after a reboot: echo net.inet.ip.fw.one_pass=0 >> /etc/sysctl.conf Will ----- Original Message ----- From: "Willie Viljoen" To: ; Sent: Sunday, December 14, 2003 3:47 PM Subject: Re: Queue and rules > sysctl net.inet.ip.fw.one_pass=1 > > :-) > > ----- Original Message ----- > From: "Cole" > To: > Sent: Sunday, December 14, 2003 3:52 PM > Subject: Queue and rules > > > > Hi > > > > I have setup the following queues and pipes.#pipes > > $fwcmd pipe 1 config bw 3kbyte/s queue 0.5kbyte > > $fwcmd pipe 2 config bw 128kbits/s queue 5Kbyte #outgoing > > $fwcmd pipe 3 config bw 128kbits/s queue 5Kbyte #incoming > > $fwcmd pipe 4 config bw 64kbits/s queue 5Kbyte #outgoing > > $fwcmd pipe 5 config bw 64kbits/s queue 5Kbyte #incoming > > > > #queues > > $fwcmd queue 1 config pipe 2 weight 100 queue 10 #outgoing > > $fwcmd queue 2 config pipe 2 weight 50 queue 10 #outgoing > > $fwcmd queue 3 config pipe 3 weight 100 queue 10 #incoming > > $fwcmd queue 4 config pipe 3 weight 50 queue 10 #incoming > > > > I have also added the following 2 rules using the queues 1 and 3. > > > > 00202 queue 1 tcp from me to 196.34.*.* out via tun0 > > 00203 queue 3 tcp from 196.34.*.* to me in via tun0 > > > > I put the *'s in just privacy sake, i have the full ip entered in the > rules. > > > > Now i wanted to block certain ports like ssh to or from that ip. I added > the rule below rules 202 and 203, and no matter if i specify, deny all, deny > tcp and the port, i can still get to those ports. I.e. if i add "ipfw add > 205 deny tcp from me to 196.34.*.* 22" it will still allow me to connect. > > > > I was wondering if its cause of the queue rules matching first and not > bothering to check the rest. If this is the problem how do i do bandwidth > shaping and then still use blocking/deny rules below those queue rules. > > Of if there is another problem that im not seeing or missing, or a > solution that you know might work, please let me know. > > Im not subscribed to the mailing list so please reply to cole@acenet.co.za > . > > > > Thanx > > /Cole > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > >