Date: Thu, 23 Sep 2004 13:36:57 +0545 From: Bikrant Neupane <bikrant_ml@wlink.com.np> To: freebsd-isp@freebsd.org Cc: freebsd-questions@freebsd.org Subject: Re: Ipfw accept rule Message-ID: <200409231336.57405.bikrant_ml@wlink.com.np> In-Reply-To: <20040923165730.E67579@mailgate.alburybf.org> References: <200409231233.00370.bikrant_ml@wlink.com.np> <20040923165730.E67579@mailgate.alburybf.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the reply. Well I am not looking for the count rule. Actually I have some other situation. I am trying to implement b/w shaping using ipfw. And i am trying to include mac address based filtering in it as well. As long as I don't implement ipfw in ether (net.link.ether.ipfw=0/1) pkts hit the rule only once and I get the b/w as specified in the IPFW pipe syntax. However when I enable ipfw in ether all the pkts hits the matching rule twice. and as a result I get half of the b/w to what has been specified in ipfw pipe. This is normal (as mentiontioned in ipfw man page) since pkt traversal is doubled when IPFW is enabed in ether. Any way I can get the desired output by multiplyin/dividing the b/w value by 2. But that won't look neat :) Here is my rule set: #skip dependind the pkt layer 01000 322 14780 skipto 10000 ip from any to any layer2 in via xl0 01100 200 93204 skipto 20000 ip from any to any not layer2 #rule num 10000 to 20000 allocated for layer2 filtering #for mac filter: allow only listed mac to send traffic 10000 39 1780 allow ip from any to any MAC any 00:00:0e:84:00:83 in via xl0 #default deny all mac coming in from xl0 19997 284 13046 deny ip from any to any MAC any any in via xl0 #rule above 20,000 alocated for !layer2 filtering #general firewall rule 20100 0 0 allow ip from any to any via lo0 20150 72 6448 allow ip from me to any out 20200 75 45356 count ip from any to any in via em0 20250 56 2240 count ip from any to any out via em0 #traffic shaping 35000 0 0 pipe 200 ip from any to 202.79.45.253 out via xl0 35001 0 0 pipe 201 ip from 202.79.45.253 to any out via em0 35002 0 0 allow ip from any to 202.79.45.253 35003 0 0 allow ip from 202.79.45.253 to any 35004 324 485880 pipe 202 ip from any to 202.79.45.254 out via xl0 35005 302 12080 pipe 203 ip from 202.79.45.254 to any out via em0 35006 163 244440 allow ip from any to 202.79.45.254 35007 151 6040 allow ip from 202.79.45.254 to any #default deny 65530 25 1138 deny log ip from any to any 65535 29604 21352015 allow ip from any to any regards, Bikrant On Thursday 23 September 2004 13:01, David Atkinson wrote: > Are you looking for something like count? The whole idea of an allow rule > is that once it matches it is assumed that you actually do want that > packet and there is no point continuing through the ruleset. If you want > to have a general allow rule with a few specific exclusions, add one or > two deny rules for the specific cases and then have your more general > allow rule. One problem that does occur with this plan is that it becomes > very easy to overload your server with lots of rarely matched deny rules. > If you find the time in interupt going too high look at constructing some > blocks of rules and setup some skipto rules. In the case of blocking > (firewalling off) well known sources of spam, a lot of rules can be > generated very quickly. As these only apply to port 25 traffic, as skipto > can be used to skip these rules for all other traffic. > > 1000 skipto 2000 tcp from any to any 25 > 1100 skipto 4000 ip from any to any > 2000 deny ip from spammer.com to any > ... > > HTH, > David Atkinson > > On Thu, 23 Sep 2004, Bikrant Neupane wrote: > > Hi, > > When a packet hits "allow | accept | pass | permit" rule the packet is > > accepted and the search is retiminated at that point. > > > > I need to accept the packet but still want the packet to continue travers > > rules further below. However, once it hits "deny | drop" rule it should > > be dropped and the search should terminate at that point. Is that > > possible with IPFW? > > > > regards, > > Bikrant > > > > > > _______________________________________________ > > freebsd-isp@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409231336.57405.bikrant_ml>