Date: Thu, 15 Feb 2001 14:36:39 +0000 From: Chris Elsworth <chrise@demon.net> To: Simon Loader <simon@herculeez.com> Cc: stable@freebsd.org Subject: Re: ipfw query.. Message-ID: <20010215143639.A96439@demon.net> In-Reply-To: <3A8BE84C.108A1625@herculeez.com>; from simon@herculeez.com on Thu, Feb 15, 2001 at 02:31:40pm %2B0000 References: <20010215130342.A95395@demon.net> <20010215135309.A23654@rug-rats.org> <3A8BE217.7AF6BFBD@herculeez.com> <20010215140949.A96244@demon.net> <3A8BE84C.108A1625@herculeez.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 15, 2001 at 02:31:40pm +0000, Simon Loader wrote: > > pipes first - I was planning to do everything so I could count it and > > bandwidth limit it > > deny anything appearing to come from RFC1918 ranges > > deny any ports I specifically don't want people to see like 3306 > > deny any source IPs I specifically don't want to let in > > allow selected priviledged ports (ssh, smtp, et al) > > allow selected outbound accesses (tho this is paranoid and could go) > > paranoia is good for Firewalls. :) Not much point in having one otherwise, is there? :) > > deny everything else > > > > >-- > > > > If I don't put the pipes first then I can't bandwidth limit, because when > > the packets go through one of the allow rules, to, say, sshd - then > > they'll never see the pipe and won't get limited or counted. So the pipes > > have to come first.. > > > > OK this is probably not useful but you could move the denys only to > before the pipes > so you are not bandwidth limiting people on stuff they dont get. > ( intresting DoS attack other wise (in theory) if someone had lots of > bandwidth). Yeah, that'd be a good first step I suppose.. > ummmmm..... looking at the manual you have everything correct :) Gee, well.. I guess that's kind of what I did and didn't want to hear :) I'm doing it right but it doesn't work - doh :) send-pr time? :) > You could try doing this to make sure > > sysctl -w net.inet.ip.fw.one_pass=0 I already did that.. : gw-0# sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 0 It's zero already, I've set it a few times - definitely zero :) > scratch, scratch or prehaps the pipe rule is going wrong? Wrong in what way? This might be the one thing left to check out.. > STUPID QUESTION: > you do have the DUMMYNET option in the Kernel Yup, if I didn't have that then the pipes wouldn't work at all.. /me scratches his head and wanders off.. -- Chris Elsworth tel: 020 8371 1041 _ . Systems Administrator mob: 07968 324 693 demon @ thus . . Web & Hosting Team chrise@demon.net http://www.demon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010215143639.A96439>