From owner-freebsd-questions@FreeBSD.ORG Sat Jan 7 09:27:47 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F42B106566B; Sat, 7 Jan 2012 09:27:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id CA3518FC13; Sat, 7 Jan 2012 09:27:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q079Rix5001170; Sat, 7 Jan 2012 20:27:45 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 7 Jan 2012 20:27:44 +1100 (EST) From: Ian Smith To: budsz In-Reply-To: Message-ID: <20120107201823.H3704@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPFW transparent VS dummynet rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jan 2012 09:27:47 -0000 On Sat, 7 Jan 2012, budsz wrote: > Hi folks, > > I already found the mistake of my ruleset sequence on my box, for ex: > > ${fwcmd} add 30 fwd ${ipproxy},${portproxy} tcp from ${ipclproxy} to > any dst-port ${porthttp} in via ${ifint0} > > ${fwcmd} add 52 pipe 2 ip from any to ${ipclient} via ${ifint0} > ${fwcmd} add 53 pipe 3 ip from ${ipclient} to any via ${ifint0} > ${fwcmd} pipe 2 config bw ${bwcldown} mask dst-ip 0xffffffff > ${fwcmd} pipe 3 config bw ${bwclup} mask src-ip 0xffffffff > > With this ruleset sequence, the limiter didn't work but fwd rules working. > If I switching like: > > ${fwcmd} add 52 pipe 2 ip from any to ${ipclient} via ${ifint0} > ${fwcmd} add 53 pipe 3 ip from ${ipclient} to any via ${ifint0} > ${fwcmd} pipe 2 config bw ${bwcldown} mask dst-ip 0xffffffff > ${fwcmd} pipe 3 config bw ${bwclup} mask src-ip 0xffffffff > > ${fwcmd} add 70 fwd ${ipproxy},${portproxy} tcp from ${ipclproxy} to > any dst-port ${porthttp} in via ${ifint0} > > The limiter working but fwd didn't work. Anyone have a clue for fix > this dilemma? Quoting ipfw(8): fwd | forward ipaddr | tablearg[,port] Change the next-hop on matching packets to ipaddr, which can be an IP address or a host name. The next hop can also be supplied by the last table looked up for the packet by using the tablearg keyword instead of an explicit address. The search terminates if this rule matches. Note particularly the last sentence. You'll have to do your dummynet piping first, if it is to apply also to forwarded packets. (sysctl) net.inet.ip.fw.one_pass: 1 When set, the packet exiting from the dummynet pipe or from ng_ipfw(4) node is not passed though the firewall again. Other- wise, after an action, the packet is reinjected into the firewall at the next rule. It seems that you may have one_pass set to 1. Set to 0, packets will continue through the ruleset on exit from pipe/s, so to your fwd rule. cheers, Ian