From owner-freebsd-net@FreeBSD.ORG Mon Nov 28 23:15:00 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FBB21065687 for ; Mon, 28 Nov 2011 23:15:00 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx1.freebsd.org (Postfix) with ESMTP id D41548FC19 for ; Mon, 28 Nov 2011 23:14:59 +0000 (UTC) Received: by pzk33 with SMTP id 33so12127247pzk.3 for ; Mon, 28 Nov 2011 15:14:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=R+CsGuYoNDO1PPrxPsiEiDK44wIHX423rCJTRl7+5nw=; b=mL/0vI7kkfZtSiJ51XvrUPRv+hjFqY919s09BUkkQFMmCjRSmmZ7URpYgq8NucmEmS l9r4uUAdR3oWS5nhD5lac2L6aght6aVWob5z7oUQNl3AHlnweKk940zcOC+wq0c3qgwk /dJ5tX5qwwASJb7ol7CPKMrFEn3OFEkgKu3h4= MIME-Version: 1.0 Received: by 10.68.15.232 with SMTP id a8mr58417885pbd.129.1322520550872; Mon, 28 Nov 2011 14:49:10 -0800 (PST) Received: by 10.143.19.3 with HTTP; Mon, 28 Nov 2011 14:49:10 -0800 (PST) Received: by 10.143.19.3 with HTTP; Mon, 28 Nov 2011 14:49:10 -0800 (PST) In-Reply-To: <4ED40CF7.2040005@wp.pl> References: <4E412116.1070305@wp.pl> <4E422A74.3090601@wp.pl> <4E7B450F.5050802@wp.pl> <4E84B447.7010509@wp.pl> <4E84DE26.6030103@misal.pl> <4E85D8CB.6010104@wp.pl> <4E876705.3040806@wp.pl> <4ED40CF7.2040005@wp.pl> Date: Mon, 28 Nov 2011 14:49:10 -0800 Message-ID: From: Freddie Cash To: Marek Salwerowicz Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN , pipes X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 23:15:00 -0000 Apologies if the formatting below gets messed up, writing this on my phone. On Nov 28, 2011 2:36 PM, "Marek Salwerowicz" wrote: > I am confused about one thing - I wanted to set up pipes for my DMZ hosts (not to allow my hosts to consume all the bandwidth). > When I set up the pipes at the beginning of my firewall (before configuring the NAT) - the whole traffic is blocked. > When I set up the pipes ad the end of firewall - they don't work (even 'ipfw show' shows no packets coming through 'pipe' rules). > > Where should be the pipe rules placed? This is something I've never really received a satisfactory answer to. I believe you have to put your pipe/queue rules in place of your final allow rules. IOW, the pipe/queue rules are the final rule that a packet touches in the ruleset. For example, for outgoing HTTP traffic, you would allow the packet coming in on the internal interface. Then you NAT the packet as it goes out the external interface. And, finally, you send the NAT'd packet to the pipe/queue, instead of allowing the NAT'd packet out the external interface. However, I have not actually implemented pipes/queue on any of my NAT firewalls, just on my routing firewalls. I have plans to test that at some point this school year. > Does it matter if I do first 'ipfw add pipe 1...' and then 'ipfw pipe 1 config...' ? All of the examples in the man page, handbook, and online show the 'add pipe' rules first, then the 'pipe config' rules. But that seems backward to me. So I always do my 'pipe config' rules first. Afterlife, how do you send a packet to a pipe that doesn't exist yet? :) Freddie fjwcash@gmail.com