From owner-freebsd-questions@FreeBSD.ORG Fri Sep 24 01:45:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2796716A4CE for ; Fri, 24 Sep 2004 01:45:26 +0000 (GMT) Received: from smtp13.wxs.nl (smtp13.wxs.nl [195.121.6.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE09843D2F for ; Fri, 24 Sep 2004 01:45:25 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp13.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I4I00523VJO0F@smtp13.wxs.nl> for freebsd-questions@freebsd.org; Fri, 24 Sep 2004 03:45:25 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i8O1jLxZ038534; Fri, 24 Sep 2004 03:45:21 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i8O1jKgc038533; Fri, 24 Sep 2004 03:45:20 +0200 Content-return: prohibited Date: Fri, 24 Sep 2004 03:45:20 +0200 From: Alex de Kruijff In-reply-to: <20040923151049.GH3633@gentoo-npk.bmp.ub> To: Bikrant Neupane , freebsd-questions@freebsd.org Message-id: <20040924014520.GF784@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <200409231233.00370.bikrant_ml@wlink.com.np> <20040923165730.E67579@mailgate.alburybf.org> <200409231336.57405.bikrant_ml@wlink.com.np> <20040923151049.GH3633@gentoo-npk.bmp.ub> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f Subject: Re: Ipfw accept rule X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 01:45:26 -0000 On Thu, Sep 23, 2004 at 09:10:49AM -0600, Nathan Kinkade wrote: > On Thu, Sep 23, 2004 at 01:36:57PM +0545, Bikrant Neupane wrote: > > Thanks for the reply. > > Well I am not looking for the count rule. > > > > Actually I have some other situation. I am trying to implement b/w shaping > > using ipfw. And i am trying to include mac address based filtering in it as > > well. As long as I don't implement ipfw in ether (net.link.ether.ipfw=0/1) > > pkts hit the rule only once and I get the b/w as specified in the IPFW pipe > > syntax. However when I enable ipfw in ether all the pkts hits the matching > > rule twice. and as a result I get half of the b/w to what has been specified > > in ipfw pipe. > > This is normal (as mentiontioned in ipfw man page) since pkt traversal is > > doubled when IPFW is enabed in ether. > > > > > Would the following sysctl variable help your problem? > > From the ipfw manpage: > > net.inet.ip.fw.one_pass: 1 > When set, the packet exiting from the dummynet(4) pipe is not passed > though the firewall again. Otherwise, after a pipe action, the packet > is reinjected into the firewall at the next rule. No this only works for pipes and queues. Not for allow / deny. There only solution I know of is to plave denies before the allows. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/