Date: Fri, 24 Sep 2004 12:05:53 +0545 From: Bikrant Neupane <bikrant_ml@wlink.com.np> To: freebsd-isp@freebsd.org Cc: freebsd-questions@freebsd.org Subject: Re: Ipfw accept rule Message-ID: <200409241205.53812.bikrant_ml@wlink.com.np> In-Reply-To: <20040923091609.K60082-100000@tyberius.abccom.bc.ca> References: <20040923091609.K60082-100000@tyberius.abccom.bc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 23 September 2004 22:29, Jon Simola wrote: > On Thu, 23 Sep 2004, Bikrant Neupane wrote: > > Here is my rule set: > > > > #skip dependind the pkt layer > > 01000 322 14780 skipto 10000 ip from any to any layer2 in via xl0 > > 01100 200 93204 skipto 20000 ip from any to any not layer2 > > > > #rule num 10000 to 20000 allocated for layer2 filtering > > #for mac filter: allow only listed mac to send traffic > > 10000 39 1780 allow ip from any to any MAC any 00:00:0e:84:00:83 > > in via xl0 > > #default deny all mac coming in from xl0 > > 19997 284 13046 deny ip from any to any MAC any any in via xl0 > > If this is layer2 filtering, where are the layer2 tags in the ipfw rule? > And if this is the extent of your layer 2, then don't forget an allow/deny > default for layer2 packets (allow ip from any to any layer2). Also, you're > only checking your layer2 on a specific interface, perhaps you only have > one. > > I've got something like: > 00010 skipto 32000 ip from any to any not layer2 > 00050 deny ip from any to any MAC any 00:30:da:00:00:00/24 layer2 in > 00055 count ip from any to any MAC any 00:0b:db:1d:63:56 layer2 in // > sniffing for traffic 03100 allow ip from any to any layer2 > // bandwidth monitoring pipes > 32003 pipe 3 ip from any to any src-ip 10.10.66.0/24 in recv em1 > 32004 pipe 4 ip from any to any dst-ip 10.10.66.0/24 out xmit em1 > 65534 allow ip from any to any > 65535 deny ip from any to any > Well, I have no problem with the MAC filtering rules. Only problem that I am having is that the pkts hit the matching rule twice = as=20 a result I get only half of the b/w than that specified in ipfw pipe comman= d. 35004 =A0 324 =A0 485880 pipe 202 ip from any to 202.79.45.254 out via xl0 35005 =A0 302 =A0 =A012080 pipe 203 ip from 202.79.45.254 to any out via em0 Isn't there a way to construct rules such that matching pkts hit the rule o= nly=20 once? regards, Bikrant > > --- > Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks > Systems Administrator | reach out to the stars, electrons and > light ABC Communications | flow throughout the universe." -- GITS > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409241205.53812.bikrant_ml>