From owner-freebsd-isp  Thu Nov  9 14:14:47 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from madness.secureworks.net (unknown [24.92.156.65])
	by hub.freebsd.org (Postfix) with ESMTP id 9CA4437B4C5
	for <freebsd-isp@freebsd.org>; Thu,  9 Nov 2000 14:14:44 -0800 (PST)
Received: from localhost (mdg@localhost)
	by madness.secureworks.net (8.11.0/8.11.1) with ESMTP id eA9METC00507;
	Thu, 9 Nov 2000 17:14:30 -0500 (EST)
	(envelope-from mdg@madness.secureworks.net)
Date: Thu, 9 Nov 2000 17:14:29 -0500 (EST)
From: mdg <mdg@madness.secureworks.net>
To: Evren Yurtesen <eyurtese@turkuamk.fi>
Cc: freebsd-isp@freebsd.org
Subject: Re: Is using dummynet and not loosing the firewall functionality
 possible?
In-Reply-To: <3A0B17C3.CBB48F2C@turkuamk.fi>
Message-ID: <Pine.BSF.4.21.0011091712330.491-100000@madness.secureworks.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

you need to set the following sysctl to 0:

net.inet.ip.fw.one_pass


this will keep the search from terminating.  i sent in a pr to get this
added to rc.conf many moons ago ...


On Thu, 9 Nov 2000, Evren Yurtesen wrote:

::: Date: Thu, 09 Nov 2000 23:31:47 +0200
::: From: Evren Yurtesen <eyurtese@turkuamk.fi>
::: To: freebsd-isp@freebsd.org
::: Subject: Is using dummynet and not loosing the firewall functionality
:::     possible?
::: 
::: I have a little problem over here.
::: I have searched the mailing list archives but couldnt find anything
::: close... I made ipfw,dummynet etc. work perfectly but need a creative
::: idea of the conf file I should use. I sent this to questions but
::: somehow nobody knows the answer. 
::: 
::: I want to limit bandwidth over an interface but also I want to use
::: ipfw's firewall capabilities but the search terminates when ipfw
::: comes to a pipe command which has a match and firewall rules are
::: not checked.
::: 
::: Ok you might say that I can make ipfw continue search after pipe by
::: setting a variable with sysctl and I did that then then problem is that
::: I want users behind this firewall box to connect to X machine without
::: the
::: bandwidth limit and I put 2 rules first to match for the X machine and
::: the second rule is to match anything else but however these users are
::: caught by both of the bandwidth rules if the search doesnt terminate
::: on the first rule. I can handle this if the ipfw terminates the search
::: when it finds a rule though but then I cant use ipfw's firewall
::: capabilities.
::: 
::: Is this a kind of paradox? any creative ideas?
::: 
::: Evren
::: 
::: 
::: To Unsubscribe: send mail to majordomo@FreeBSD.org
::: with "unsubscribe freebsd-isp" in the body of the message
::: 

-- 




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message