From owner-freebsd-stable Thu Feb 15 6:36:48 2001 Delivered-To: freebsd-stable@freebsd.org Received: from ultrakill.noc.demon.net (ultrakill.noc.demon.net [195.11.55.73]) by hub.freebsd.org (Postfix) with ESMTP id 6400837B65D for ; Thu, 15 Feb 2001 06:36:41 -0800 (PST) Received: from chrise by ultrakill.noc.demon.net with local (Exim 3.20 #1) id 14TPWR-000P61-00; Thu, 15 Feb 2001 14:36:39 +0000 Date: Thu, 15 Feb 2001 14:36:39 +0000 From: Chris Elsworth To: Simon Loader Cc: stable@freebsd.org Subject: Re: ipfw query.. Message-ID: <20010215143639.A96439@demon.net> References: <20010215130342.A95395@demon.net> <20010215135309.A23654@rug-rats.org> <3A8BE217.7AF6BFBD@herculeez.com> <20010215140949.A96244@demon.net> <3A8BE84C.108A1625@herculeez.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A8BE84C.108A1625@herculeez.com>; from simon@herculeez.com on Thu, Feb 15, 2001 at 02:31:40pm +0000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Feb 15, 2001 at 02:31:40pm +0000, Simon Loader wrote: > > pipes first - I was planning to do everything so I could count it and > > bandwidth limit it > > deny anything appearing to come from RFC1918 ranges > > deny any ports I specifically don't want people to see like 3306 > > deny any source IPs I specifically don't want to let in > > allow selected priviledged ports (ssh, smtp, et al) > > allow selected outbound accesses (tho this is paranoid and could go) > > paranoia is good for Firewalls. :) Not much point in having one otherwise, is there? :) > > deny everything else > > > > >-- > > > > If I don't put the pipes first then I can't bandwidth limit, because when > > the packets go through one of the allow rules, to, say, sshd - then > > they'll never see the pipe and won't get limited or counted. So the pipes > > have to come first.. > > > > OK this is probably not useful but you could move the denys only to > before the pipes > so you are not bandwidth limiting people on stuff they dont get. > ( intresting DoS attack other wise (in theory) if someone had lots of > bandwidth). Yeah, that'd be a good first step I suppose.. > ummmmm..... looking at the manual you have everything correct :) Gee, well.. I guess that's kind of what I did and didn't want to hear :) I'm doing it right but it doesn't work - doh :) send-pr time? :) > You could try doing this to make sure > > sysctl -w net.inet.ip.fw.one_pass=0 I already did that.. : gw-0# sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 0 It's zero already, I've set it a few times - definitely zero :) > scratch, scratch or prehaps the pipe rule is going wrong? Wrong in what way? This might be the one thing left to check out.. > STUPID QUESTION: > you do have the DUMMYNET option in the Kernel Yup, if I didn't have that then the pipes wouldn't work at all.. /me scratches his head and wanders off.. -- Chris Elsworth tel: 020 8371 1041 _ . Systems Administrator mob: 07968 324 693 demon @ thus . . Web & Hosting Team chrise@demon.net http://www.demon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message