From owner-freebsd-isp Fri Nov 10 6:16: 2 2000 Delivered-To: freebsd-isp@freebsd.org Received: from madness.mdgnet.org (unknown [24.92.156.65]) by hub.freebsd.org (Postfix) with ESMTP id 8C3EC37B479 for ; Fri, 10 Nov 2000 06:15:58 -0800 (PST) Received: from localhost (mdg@localhost) by madness.mdgnet.org (8.11.0/8.11.1) with ESMTP id eAAEFpm01715; Fri, 10 Nov 2000 09:15:51 -0500 (EST) (envelope-from mdg@madness.mdgnet.org) Date: Fri, 10 Nov 2000 09:15:51 -0500 (EST) From: mdg To: Evren Yurtesen Cc: freebsd-isp@freebsd.org Subject: Re: Is using dummynet and not loosing the firewall functionality possible? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org you could use an ipfw skipto rule ... ipfw add 100 pipe (X) ipfw add 110 skipto 130 ip from any to xserver:port ipfw add 120 pipe (other) ipfw add 130 blah ... On Fri, 10 Nov 2000, Evren Yurtesen wrote: ::: Date: Fri, 10 Nov 2000 10:21:33 +0200 (WET) ::: From: Evren Yurtesen ::: To: mdg ::: Cc: freebsd-isp@freebsd.org ::: Subject: Re: Is using dummynet and not loosing the firewall ::: functionality possible? ::: ::: Yes but then the problem is little bit different. ::: I want these people behind ed1 interface to connect everywhere through a ::: pipe with 128Kbit/s but they should be able to reach the X machine with ::: unlimited bandwidth. ::: The solution I found was that I put a rule for X machine and then another ::: rule for the rest of internet. ::: But if I set net.inet.ip.fw.one_pass to 0 then they are caught by both ::: of the pipes and they are always limited with 128Kbit/s pipe (the smaller ::: one) ::: So how can I use firewall rules and pipes and at the same time let my ::: users to connect to some specific machine with unlimited bandwidth? ::: ::: Evren ::: ::: On Thu, 9 Nov 2000, mdg wrote: ::: ::: > you need to set the following sysctl to 0: ::: > ::: > net.inet.ip.fw.one_pass ::: > ::: > ::: > this will keep the search from terminating. i sent in a pr to get this ::: > added to rc.conf many moons ago ... ::: > ::: > ::: > On Thu, 9 Nov 2000, Evren Yurtesen wrote: ::: > ::: > ::: Date: Thu, 09 Nov 2000 23:31:47 +0200 ::: > ::: From: Evren Yurtesen ::: > ::: To: freebsd-isp@freebsd.org ::: > ::: Subject: Is using dummynet and not loosing the firewall functionality ::: > ::: possible? ::: > ::: ::: > ::: I have a little problem over here. ::: > ::: I have searched the mailing list archives but couldnt find anything ::: > ::: close... I made ipfw,dummynet etc. work perfectly but need a creative ::: > ::: idea of the conf file I should use. I sent this to questions but ::: > ::: somehow nobody knows the answer. ::: > ::: ::: > ::: I want to limit bandwidth over an interface but also I want to use ::: > ::: ipfw's firewall capabilities but the search terminates when ipfw ::: > ::: comes to a pipe command which has a match and firewall rules are ::: > ::: not checked. ::: > ::: ::: > ::: Ok you might say that I can make ipfw continue search after pipe by ::: > ::: setting a variable with sysctl and I did that then then problem is that ::: > ::: I want users behind this firewall box to connect to X machine without ::: > ::: the ::: > ::: bandwidth limit and I put 2 rules first to match for the X machine and ::: > ::: the second rule is to match anything else but however these users are ::: > ::: caught by both of the bandwidth rules if the search doesnt terminate ::: > ::: on the first rule. I can handle this if the ipfw terminates the search ::: > ::: when it finds a rule though but then I cant use ipfw's firewall ::: > ::: capabilities. ::: > ::: ::: > ::: Is this a kind of paradox? any creative ideas? ::: > ::: ::: > ::: Evren ::: > ::: ::: > ::: ::: > ::: To Unsubscribe: send mail to majordomo@FreeBSD.org ::: > ::: with "unsubscribe freebsd-isp" in the body of the message ::: > ::: ::: > ::: > -- ::: > ::: > ::: > ::: ::: -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message