From owner-freebsd-isp@FreeBSD.ORG Fri Sep 24 06:21:16 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDBEA16A4CF for ; Fri, 24 Sep 2004 06:21:15 +0000 (GMT) Received: from smtp4.wlink.com.np (smtp4.wlink.com.np [202.79.32.87]) by mx1.FreeBSD.org (Postfix) with SMTP id 7906643D5D for ; Fri, 24 Sep 2004 06:21:07 +0000 (GMT) (envelope-from bikrant_ml@wlink.com.np) Received: (qmail 36112 invoked from network); 24 Sep 2004 06:21:02 -0000 Received: from unknown (HELO qmail-scanner.wlink.com.np) (202.79.32.74) by 0 with SMTP; 24 Sep 2004 06:21:02 -0000 Received: (qmail 13010 invoked by uid 1008); 24 Sep 2004 06:21:01 -0000 Received: from bikrant_ml@wlink.com.np by qmail-scanner.wlink.com.np by uid 1002 with qmail-scanner-1.20 (clamscan: 0.60. Clear:RC:1(202.79.32.77):. Processed in 0.165703 secs); 24 Sep 2004 06:21:01 -0000 Received: from smtp2.wlink.com.np (202.79.32.77) by qmail-scanner.wlink.com.np with SMTP; 24 Sep 2004 06:21:01 -0000 Received: (qmail 5823 invoked by uid 516); 24 Sep 2004 06:21:01 -0000 Received: from [202.79.36.168] (HELO bikrant.org.np) by smtp2.wlink.com.np (qmail-smtpd) with SMTP; 24 Sep 2004 06:21:00 -0000 (Fri, 24 Sep 2004 12:06:00 +0545) From: Bikrant Neupane To: freebsd-isp@freebsd.org Date: Fri, 24 Sep 2004 12:05:53 +0545 User-Agent: KMail/1.7 References: <20040923091609.K60082-100000@tyberius.abccom.bc.ca> In-Reply-To: <20040923091609.K60082-100000@tyberius.abccom.bc.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200409241205.53812.bikrant_ml@wlink.com.np> X-Spam-Check-By: smtp2.wlink.com.np Spam: No ; -4.9 / 5.0 X-Spam-Status: No, hits=-4.9 required=5.0 cc: NetAdmin cc: freebsd-questions@freebsd.org Subject: Re: Ipfw accept rule X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 06:21:16 -0000 On Thursday 23 September 2004 22:29, Jon Simola wrote: > On Thu, 23 Sep 2004, Bikrant Neupane wrote: > > Here is my rule set: > > > > #skip dependind the pkt layer > > 01000 322 14780 skipto 10000 ip from any to any layer2 in via xl0 > > 01100 200 93204 skipto 20000 ip from any to any not layer2 > > > > #rule num 10000 to 20000 allocated for layer2 filtering > > #for mac filter: allow only listed mac to send traffic > > 10000 39 1780 allow ip from any to any MAC any 00:00:0e:84:00:83 > > in via xl0 > > #default deny all mac coming in from xl0 > > 19997 284 13046 deny ip from any to any MAC any any in via xl0 > > If this is layer2 filtering, where are the layer2 tags in the ipfw rule? > And if this is the extent of your layer 2, then don't forget an allow/deny > default for layer2 packets (allow ip from any to any layer2). Also, you're > only checking your layer2 on a specific interface, perhaps you only have > one. > > I've got something like: > 00010 skipto 32000 ip from any to any not layer2 > 00050 deny ip from any to any MAC any 00:30:da:00:00:00/24 layer2 in > 00055 count ip from any to any MAC any 00:0b:db:1d:63:56 layer2 in // > sniffing for traffic 03100 allow ip from any to any layer2 > // bandwidth monitoring pipes > 32003 pipe 3 ip from any to any src-ip 10.10.66.0/24 in recv em1 > 32004 pipe 4 ip from any to any dst-ip 10.10.66.0/24 out xmit em1 > 65534 allow ip from any to any > 65535 deny ip from any to any > Well, I have no problem with the MAC filtering rules. Only problem that I am having is that the pkts hit the matching rule twice = as=20 a result I get only half of the b/w than that specified in ipfw pipe comman= d. 35004 =A0 324 =A0 485880 pipe 202 ip from any to 202.79.45.254 out via xl0 35005 =A0 302 =A0 =A012080 pipe 203 ip from 202.79.45.254 to any out via em0 Isn't there a way to construct rules such that matching pkts hit the rule o= nly=20 once? regards, Bikrant > > --- > Jon Simola | "In the near future - corporate networks > Systems Administrator | reach out to the stars, electrons and > light ABC Communications | flow throughout the universe." -- GITS > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"