Date: Fri, 24 Sep 2004 13:41:59 +0400 From: dima <_pppp@mail.ru> To: Bikrant Neupane <bikrant_ml@wlink.com.np> Cc: freebsd-questions@freebsd.org Subject: Re: Ipfw accept rule Message-ID: <1096018919.654.3.camel@pppp> In-Reply-To: <200409241205.53812.bikrant_ml@wlink.com.np> References: <20040923091609.K60082-100000@tyberius.abccom.bc.ca> <200409241205.53812.bikrant_ml@wlink.com.np>
next in thread | previous in thread | raw e-mail | index | archive | help
=F7 =D0=D4, 24.09.2004, =D7 10:20, Bikrant Neupane =D0=C9=DB=C5=D4:
> On Thursday 23 September 2004 22:29, Jon Simola wrote:
> > On Thu, 23 Sep 2004, Bikrant Neupane wrote:
> > > Here is my rule set:
> > >
> > > #skip dependind the pkt layer
> > > 01000 322 14780 skipto 10000 ip from any to any layer2 in via xl=
0
> > > 01100 200 93204 skipto 20000 ip from any to any not layer2
> > >
> > > #rule num 10000 to 20000 allocated for layer2 filtering
> > > #for mac filter: allow only listed mac to send traffic
> > > 10000 39 1780 allow ip from any to any MAC any 00:00:0e:84:00:=
83
> > > in via xl0
> > > #default deny all mac coming in from xl0
> > > 19997 284 13046 deny ip from any to any MAC any any in via xl0
> >
> > If this is layer2 filtering, where are the layer2 tags in the ipfw rule=
?
> > And if this is the extent of your layer 2, then don't forget an allow/d=
eny
> > default for layer2 packets (allow ip from any to any layer2). Also, you=
're
> > only checking your layer2 on a specific interface, perhaps you only hav=
e
> > one.
> >
> > I've got something like:
> > 00010 skipto 32000 ip from any to any not layer2
> > 00050 deny ip from any to any MAC any 00:30:da:00:00:00/24 layer2 in
> > 00055 count ip from any to any MAC any 00:0b:db:1d:63:56 layer2 in //
> > sniffing for traffic 03100 allow ip from any to any layer2
> > // bandwidth monitoring pipes
> > 32003 pipe 3 ip from any to any src-ip 10.10.66.0/24 in recv em1
> > 32004 pipe 4 ip from any to any dst-ip 10.10.66.0/24 out xmit em1
> > 65534 allow ip from any to any
> > 65535 deny ip from any to any
> >
> Well, I have no problem with the MAC filtering rules.
> Only problem that I am having is that the pkts hit the matching rule twic=
e as=20
> a result I get only half of the b/w than that specified in ipfw pipe comm=
and.
>=20
>=20
> 35004 324 485880 pipe 202 ip from any to 202.79.45.254 out via xl0
> 35005 302 12080 pipe 203 ip from 202.79.45.254 to any out via em0
>=20
> Isn't there a way to construct rules such that matching pkts hit the rule=
only=20
> once?
$ man ipfw
[skip]
pipe pipe_nr
Pass packet to a dummynet(4) ``pipe'' (for bandwidth limitation,
delay, etc.). See the TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
Section for further information. The search terminates; however,
on exit from the pipe and if the sysctl(8) variable
net.inet.ip.fw.one_pass is not set, the packet is passed again to
the firewall code starting from the next rule.
[skip]
$
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1096018919.654.3.camel>