Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Apr 2004 16:25:53 -0300
From:      "Marcelo Pinheiro" <marcelo@wavenet.com.br>
To:        <freebsd-questions@freebsd.org>
Subject:   Dummynet+Firewall+One_pass question
Message-ID:  <FFEAIMBODLFHMMJPBLEPCEFFCOAA.marcelo@wavenet.com.br>
In-Reply-To: <20040422190101.B04F216A4CE@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

I am very new to FreeBSD, and I have a quite simple question: How does IPFW
work when I use PIPES, divert and some other Firewall rules?
What does net.inet.ip.fw.one_pass mean? For instance, if I use a pipe before
a divert with one_pass set to 1, the packet passes through the pipe, but
does not pass through the divert and that makes total sense. However if I
set one_pass to 1 and set the pipe after the divert using the internal IP
address ( RFC 1918 ) it works.... that does not make any sense, at least to
me. :)
Here are some sample rules:

        # INTERNAL NETWORK
        ${fwcmd} pipe 1000 config bw 1024Kbit/s
        ${fwcmd} pipe 1001 config bw 1024Kbit/s

        ${fwcmd} add divert natd all from 10.0.0.0/8 to any
        ${fwcmd} add divert natd all from any to 200.x.x.x

        ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
        ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8

If I set the way above, it works fine, even if the one_pass is set to 1 (
one ). The divert changes the packet header to my external IP, and my real
question is: How in the world the pipe works if the header is changed to
200, instead of 10?

THIS WAY IT DOES NOT WORK WITH ONE_PASS SET TO 1, it passes through the
pipe, but does not pass through the divert:

        # INTERNAL NETWORK
        ${fwcmd} pipe 1000 config bw 1024Kbit/s
        ${fwcmd} pipe 1001 config bw 1024Kbit/s

        ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
        ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8

        ${fwcmd} add divert natd all from 10.0.0.0/8 to any
        ${fwcmd} add divert natd all from any to 200.x.x.x

I deeply appreciate any ideas.

Sincerely,

Marcelo Pinheiro

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.664 / Virus Database: 427 - Release Date: 21/4/2004

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FFEAIMBODLFHMMJPBLEPCEFFCOAA.marcelo>