Date: Fri, 10 Nov 2000 09:15:51 -0500 (EST) From: mdg <mdg@madness.mdgnet.org> To: Evren Yurtesen <eyurtese@turkuamk.fi> Cc: freebsd-isp@freebsd.org Subject: Re: Is using dummynet and not loosing the firewall functionality possible? Message-ID: <Pine.BSF.4.21.0011100911050.1582-100000@madness.mdgnet.org> In-Reply-To: <Pine.A41.4.10.10011101016200.58564-100000@bessel.tekniikka.turkuamk.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
you could use an ipfw skipto rule ... ipfw add 100 pipe (X) ipfw add 110 skipto 130 ip from any to xserver:port ipfw add 120 pipe (other) ipfw add 130 blah ... On Fri, 10 Nov 2000, Evren Yurtesen wrote: ::: Date: Fri, 10 Nov 2000 10:21:33 +0200 (WET) ::: From: Evren Yurtesen <eyurtese@turkuamk.fi> ::: To: mdg <mdg@madness.secureworks.net> ::: Cc: freebsd-isp@freebsd.org ::: Subject: Re: Is using dummynet and not loosing the firewall ::: functionality possible? ::: ::: Yes but then the problem is little bit different. ::: I want these people behind ed1 interface to connect everywhere through a ::: pipe with 128Kbit/s but they should be able to reach the X machine with ::: unlimited bandwidth. ::: The solution I found was that I put a rule for X machine and then another ::: rule for the rest of internet. ::: But if I set net.inet.ip.fw.one_pass to 0 then they are caught by both ::: of the pipes and they are always limited with 128Kbit/s pipe (the smaller ::: one) ::: So how can I use firewall rules and pipes and at the same time let my ::: users to connect to some specific machine with unlimited bandwidth? ::: ::: Evren ::: ::: On Thu, 9 Nov 2000, mdg wrote: ::: ::: > you need to set the following sysctl to 0: ::: > ::: > net.inet.ip.fw.one_pass ::: > ::: > ::: > this will keep the search from terminating. i sent in a pr to get this ::: > added to rc.conf many moons ago ... ::: > ::: > ::: > On Thu, 9 Nov 2000, Evren Yurtesen wrote: ::: > ::: > ::: Date: Thu, 09 Nov 2000 23:31:47 +0200 ::: > ::: From: Evren Yurtesen <eyurtese@turkuamk.fi> ::: > ::: To: freebsd-isp@freebsd.org ::: > ::: Subject: Is using dummynet and not loosing the firewall functionality ::: > ::: possible? ::: > ::: ::: > ::: I have a little problem over here. ::: > ::: I have searched the mailing list archives but couldnt find anything ::: > ::: close... I made ipfw,dummynet etc. work perfectly but need a creative ::: > ::: idea of the conf file I should use. I sent this to questions but ::: > ::: somehow nobody knows the answer. ::: > ::: ::: > ::: I want to limit bandwidth over an interface but also I want to use ::: > ::: ipfw's firewall capabilities but the search terminates when ipfw ::: > ::: comes to a pipe command which has a match and firewall rules are ::: > ::: not checked. ::: > ::: ::: > ::: Ok you might say that I can make ipfw continue search after pipe by ::: > ::: setting a variable with sysctl and I did that then then problem is that ::: > ::: I want users behind this firewall box to connect to X machine without ::: > ::: the ::: > ::: bandwidth limit and I put 2 rules first to match for the X machine and ::: > ::: the second rule is to match anything else but however these users are ::: > ::: caught by both of the bandwidth rules if the search doesnt terminate ::: > ::: on the first rule. I can handle this if the ipfw terminates the search ::: > ::: when it finds a rule though but then I cant use ipfw's firewall ::: > ::: capabilities. ::: > ::: ::: > ::: Is this a kind of paradox? any creative ideas? ::: > ::: ::: > ::: Evren ::: > ::: ::: > ::: ::: > ::: To Unsubscribe: send mail to majordomo@FreeBSD.org ::: > ::: with "unsubscribe freebsd-isp" in the body of the message ::: > ::: ::: > ::: > -- ::: > ::: > ::: > ::: ::: -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011100911050.1582-100000>