From owner-freebsd-net@FreeBSD.ORG Thu Jul 29 07:39:53 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72FD316A4CE for ; Thu, 29 Jul 2004 07:39:53 +0000 (GMT) Received: from caine.easynet.fr (smarthost131.mail.easynet.fr [212.180.1.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38D1643D64 for ; Thu, 29 Jul 2004 07:39:52 +0000 (GMT) (envelope-from tataz@tatooine.tataz.chchile.org) Received: from [212.180.127.72] (helo=tatooine.tataz.chchile.org) by caine.easynet.fr with esmtp (Exim 4.34) id 1Bq5Vt-0006l9-DM for freebsd-net@freebsd.org; Thu, 29 Jul 2004 09:39:42 +0200 Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 6627D408F; Thu, 29 Jul 2004 09:06:43 +0200 (CEST) Resent-From: jeremie@le-hen.org Resent-Date: Thu, 29 Jul 2004 09:06:43 +0200 Resent-Message-ID: <20040729070643.GB41480@obiwan.tataz.chchile.org> Resent-To: freebsd-net@freebsd.org X-Original-To: tataz@tataz.chchile.org Delivered-To: tataz@tataz.chchile.org Received: from ideliver.epitech.net (deliver.epitech.net [163.5.0.25]) by tatooine.tataz.chchile.org (Postfix) with SMTP id AF8FB4070 for ; Thu, 29 Jul 2004 08:48:46 +0200 (CEST) Received: from epita.fr ([10.42.1.60]) by ideliver.epitech.net (SAVSMTP 3.1.2.35) with SMTP id M2004072908512820505 for ; Thu, 29 Jul 2004 08:51:28 +0200 Received: from garibaldi (garibaldi.epita.fr [10.42.2.43]) by epita.fr id i6T6otg00987 for tataz@tataz.chchile.org EPITA Paris France Thu, 29 Jul 2004 08:50:55 +0200 (CEST) Resent-From: jeremie le-hen Resent-Message-Id: <200407290650.i6T6otg00987@epita.fr> Date: Thu, 29 Jul 2004 01:23:52 +0200 From: Jeremie Le Hen To: Charlie Schluting Message-ID: <20040728232352.GB8838@tuileries.epita.fr> References: <41081955.5090204@schluting.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41081955.5090204@schluting.com> User-Agent: Mutt/1.4i Resent-Date: Thu, 29 Jul 2004 08:50:54 +0200 Resent-To: tataz@tataz.chchile.org X-Broken-Reverse-DNS: no host name found for IP address 212.180.127.72 cc: freebsd-net@freebsd.org Subject: Re: packet order, ipf or ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2004 07:39:53 -0000 Hello Charlie, > I'm running ipf because I like it ...but now I need to use ipfw's pipe > feature. I was thinking that I could just run both, and keep all my > rules in ipf, then in ipfw: limit bandwidth for a few vlans, then allow all. > > It didn't work (no rate-limiting happened).. and I'm thinking that ipf > is passing the packets and bypassing ipfw? Or something.. > > So, what is the order, if I'm running ipf AND ipfw at the same time? > Will it work at all in this manner? Max Laier told you about FreeBSD 5.x which includes PFIL_HOOKS, but since you did not mention whether you are using -STABLE or -CURRENT. AFAIK, ipf takes precedence on ipfw for incoming packets on -STABLE, and this is of course symmetric for outgoing ones. But you should be warned that using ipnat(8) in conjunction to ipfw pipes may lead to an incorrect behaviour : http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/61685 Hackers, is this bug still alive in -CURRENT ? Best regards, -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr ttz@epita.fr Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!