Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 14 Dec 2003 15:47:52 +0200
From:      "Willie Viljoen" <will@unfoldings.net>
To:        <cole@acenet.co.za>, <freebsd-ipfw@freebsd.org>
Subject:   Re: Queue and rules
Message-ID:  <008601c3c248$de9a16a0$0a00a8c0@arista>
References:  <200312141552.AA467796450@acenet.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help 
sysctl net.inet.ip.fw.one_pass=1

:-)

----- Original Message -----
From: "Cole" <cole@acenet.co.za>
To: <freebsd-ipfw@freebsd.org>
Sent: Sunday, December 14, 2003 3:52 PM
Subject: Queue and rules


> Hi
>
> I have setup the following queues and pipes.#pipes
> $fwcmd pipe 1 config bw 3kbyte/s queue 0.5kbyte
> $fwcmd pipe 2 config bw 128kbits/s queue 5Kbyte #outgoing
> $fwcmd pipe 3 config bw 128kbits/s queue 5Kbyte #incoming
> $fwcmd pipe 4 config bw 64kbits/s queue 5Kbyte #outgoing
> $fwcmd pipe 5 config bw 64kbits/s queue 5Kbyte #incoming
>
> #queues
> $fwcmd queue 1 config pipe 2 weight 100 queue 10  #outgoing
> $fwcmd queue 2 config pipe 2 weight 50 queue 10   #outgoing
> $fwcmd queue 3 config pipe 3 weight 100 queue 10  #incoming
> $fwcmd queue 4 config pipe 3 weight 50 queue 10   #incoming
>
> I have also added the following 2 rules using the queues 1 and 3.
>
> 00202 queue 1 tcp from me to 196.34.*.* out via tun0
> 00203 queue 3 tcp from 196.34.*.* to me in via tun0
>
> I put the *'s in just privacy sake, i have the full ip entered in the
rules.
>
> Now i wanted to block certain ports like ssh to or from that ip. I added
the rule below rules 202 and 203, and no matter if i specify, deny all, deny
tcp and the port, i can still get to those ports. I.e. if i add "ipfw add
205 deny tcp from me to 196.34.*.* 22" it will still allow me to connect.
>
> I was wondering if its cause of the queue rules matching first and not
bothering to check the rest. If this is the problem how do i do bandwidth
shaping and then still use blocking/deny rules below those queue rules.
> Of if there is another problem that im not seeing or missing, or a
solution that you know might work, please let me know.
> Im not subscribed to the mailing list so please reply to cole@acenet.co.za
.
>
> Thanx
> /Cole
>
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008601c3c248$de9a16a0$0a00a8c0>