From owner-freebsd-questions@FreeBSD.ORG Sun Feb 26 01:34:13 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8273716A420 for ; Sun, 26 Feb 2006 01:34:13 +0000 (GMT) (envelope-from list-freebsd-2004@morbius.sent.com) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BB9A43D45 for ; Sun, 26 Feb 2006 01:34:13 +0000 (GMT) (envelope-from list-freebsd-2004@morbius.sent.com) Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149]) by frontend1.messagingengine.com (Postfix) with ESMTP id 41009D381D4 for ; Sat, 25 Feb 2006 20:34:11 -0500 (EST) Received: from frontend2.messagingengine.com ([10.202.2.151]) by frontend1.internal (MEProxy); Sat, 25 Feb 2006 20:34:11 -0500 X-Sasl-enc: CI83rmEDvTf4IzhjDOOHRe1YlQbqnJkCAVXC/TTF0AlY 1140917648 Received: from gumby.localdomain (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by frontend2.messagingengine.com (Postfix) with ESMTP id 806A6571604 for ; Sat, 25 Feb 2006 20:34:08 -0500 (EST) From: RW To: freebsd-questions@freebsd.org Date: Sun, 26 Feb 2006 01:34:08 +0000 User-Agent: KMail/1.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200602260134.09835.list-freebsd-2004@morbius.sent.com> Subject: Dummynet with Dynamic IPFW Rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 01:34:13 -0000 I've been looking into using Dummynet for outgoing traffic, and I've found it hard going because the tutorials and how-to's deal with it in isolation, without indicating how it would be used in a real firewall. They generally suggest setting net.inet.ip.fw.one_pass=1, which as I understand it, implies that any packet passed into dummynet is passed statically though the firewall. I want to keep my existing dynamic rules, and it seems that one way would be to keep net.inet.ip.fw.one_pass=0 and follow each dummynet rule with a skipto rule that uses an identical test. So when the packet emerges from dummynet it skips the other pipe and queue rules, and hits the check-state. Something like this: -------------------------------------------------------------------------------------- ... #prioritize small ack packets 0500 queue 1 tcp from any to any out via vr0 tcpflags ack iplen 0-80 0501 skipto 1000 tcp from any to any out via vr0 tcpflags ack iplen 0-80 #prioritize ntp 0600 queue 1 tcp from any to any out ntp via vr0 0601 skipto 1000 tcp from any to any out ntp via vr0 1000 check-state 1010 deny tcp from any to any in established 1020 allow tcp from any to any out setup keep-state 1030 allow udp from any to any ntp out keep-state -------------------------------------------------------------------------------------- Will this work? And is it the best way to handle this problem? It seems a bit clumsy.