From owner-freebsd-isp Thu Nov 9 13:57:43 2000 Delivered-To: freebsd-isp@freebsd.org Received: from mail.psknet.com (orion.psknet.com [207.198.61.253]) by hub.freebsd.org (Postfix) with SMTP id 7014237B479 for ; Thu, 9 Nov 2000 13:57:40 -0800 (PST) Received: (qmail 30933 invoked from network); 9 Nov 2000 21:57:34 -0000 Received: from arcadia.psknet.com (HELO arcadia) (207.198.61.250) by orion.psknet.com with SMTP; 9 Nov 2000 21:57:34 -0000 From: "Troy Settle" To: "Evren Yurtesen" , Subject: RE: Is using dummynet and not loosing the firewall functionality possible? Date: Thu, 9 Nov 2000 16:57:34 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <3A0B17C3.CBB48F2C@turkuamk.fi> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal X-AntiVirus: scanned for viruses by Pulaski Networks (http://www.psknet.com) using AMaViS (http://www.amavis.org) Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here's what I have set up and working perfectly: 00100 divert 8668 ip from any to any via ed0 00100 allow ip from any to any via lo0 00100 pipe 1000 ip from any to any via ed1 00200 deny ip from any to 127.0.0.0/8 65000 allow ip from any to any HTH, -- Troy Settle Pulaski Networks 540.994.4254 It's always a long day, 86400 doesn't fit into a short > -----Original Message----- > From: owner-freebsd-isp@FreeBSD.ORG > [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Evren Yurtesen > Sent: Thursday, November 09, 2000 4:32 PM > To: freebsd-isp@freebsd.org > Subject: Is using dummynet and not loosing the firewall functionality > possible? > > > I have a little problem over here. > I have searched the mailing list archives but couldnt find anything > close... I made ipfw,dummynet etc. work perfectly but need a creative > idea of the conf file I should use. I sent this to questions but > somehow nobody knows the answer. > > I want to limit bandwidth over an interface but also I want to use > ipfw's firewall capabilities but the search terminates when ipfw > comes to a pipe command which has a match and firewall rules are > not checked. > > Ok you might say that I can make ipfw continue search after pipe by > setting a variable with sysctl and I did that then then problem is that > I want users behind this firewall box to connect to X machine without > the > bandwidth limit and I put 2 rules first to match for the X machine and > the second rule is to match anything else but however these users are > caught by both of the bandwidth rules if the search doesnt terminate > on the first rule. I can handle this if the ipfw terminates the search > when it finds a rule though but then I cant use ipfw's firewall > capabilities. > > Is this a kind of paradox? any creative ideas? > > Evren > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message