Date: Tue, 29 Nov 2011 01:34:28 +0100 From: Marek Salwerowicz <marek_sal@wp.pl> To: Freddie Cash <fjwcash@gmail.com>, freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN , pipes Message-ID: <4ED42894.6010506@wp.pl> In-Reply-To: <CAOjFWZ7_FiuFEMk1O70gQhn6UxNYB4pu30LzwyBbeCdLsNN25w@mail.gmail.com> References: <4E412116.1070305@wp.pl> <CAOjFWZ4B3uUfOLAzL=B1WY98rqi6X32j7FM61VjJ3td76NkADg@mail.gmail.com> <4E422A74.3090601@wp.pl> <CAOjFWZ5CK62nQMA8JsfW1b4BQh3hAJbAAynortzaUBqSWBwdSQ@mail.gmail.com> <4E7B450F.5050802@wp.pl> <CAOjFWZ6wf9NnVeffUV4uA6h1t-1T8juxXycZbM7%2BGgpFC-HkUg@mail.gmail.com> <4E84B447.7010509@wp.pl> <CAOjFWZ4XOU2dT3%2BL6AJeUNO7QcC=0ymLXN3GMkzCuoB3a1Qyew@mail.gmail.com> <4E84DE26.6030103@misal.pl> <4E85D8CB.6010104@wp.pl> <CAOjFWZ6xZ5bDcm6aAVvwz47rmYLEqSyKO5Bzg3aQPHS-o98w_w@mail.gmail.com> <4E876705.3040806@wp.pl> <CAOjFWZ7LV3z=22mPLXw-T0W6dJCfVVZ9Q%2Bd%2BKxg1VFdM51eLww@mail.gmail.com> <4ED40CF7.2040005@wp.pl> <CAOjFWZ7_FiuFEMk1O70gQhn6UxNYB4pu30LzwyBbeCdLsNN25w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
W dniu 2011-11-28 23:49, Freddie Cash pisze: > This is something I've never really received a satisfactory answer to. I > believe you have to put your pipe/queue rules in place of your final allow > rules. IOW, the pipe/queue rules are the final rule that a packet touches > in the ruleset. > > For example, for outgoing HTTP traffic, you would allow the packet coming > in on the internal interface. Then you NAT the packet as it goes out the > external interface. And, finally, you send the NAT'd packet to the > pipe/queue, instead of allowing the NAT'd packet out the external interface. Yes! You're right ;) Thanks for suggesting me that I've made like this: $cmd add 4006 pipe 1 ip from $DMZHOST1PUB to any out xmit $PUBLICIF #$cmd add 4010 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF #commented - used pipe above $cmd add 4016 pipe 2 ip from any to $DMZHOST1 in recv $PUBLICIF #$cmd add 4020 allow ip from any to $DMZHOST1 in recv $PUBLICIF #commented - used pipe above And it worked ;) And at the beginnig of Firewall I put the configs: #pipe for DMZ hosts - pipe 1 upload limit $cmd pipe 1 config bw 200Kbit/s #pipe for DMZ hosts = pipe 2 download limit $cmd pipe 2 config bw 1536Kbit/s > > All of the examples in the man page, handbook, and online show the 'add > pipe' rules first, then the 'pipe config' rules. But that seems backward to > me. So I always do my 'pipe config' rules first. Afterlife, how do you send > a packet to a pipe that doesn't exist yet? :) > ;) it makes sense to config at first and then attach traffic to pipe - for me it works regards, -- Marek Salwerowicz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ED42894.6010506>