From owner-freebsd-questions@FreeBSD.ORG Fri Nov 28 05:37:16 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D55016A4CE for ; Fri, 28 Nov 2003 05:37:16 -0800 (PST) Received: from smtp004.mail.ukl.yahoo.com (smtp004.mail.ukl.yahoo.com [217.12.11.35]) by mx1.FreeBSD.org (Postfix) with SMTP id 103F543FBF for ; Fri, 28 Nov 2003 05:37:15 -0800 (PST) (envelope-from kaeru@pd.jaring.my) Received: from unknown (HELO ?219.95.208.153?) (khairil?yusof@219.95.208.153 with plain) by smtp1.mail.vip.ukl.yahoo.com with SMTP; 28 Nov 2003 13:37:12 -0000 From: Khairil Yusof To: questions@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-xG4cGpYBs8Yy9+L6aBts" Message-Id: <1070026625.16777.115.camel@wolverine.home.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Fri, 28 Nov 2003 21:37:06 +0800 Subject: ipfw pipes + firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 13:37:16 -0000 --=-xG4cGpYBs8Yy9+L6aBts Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I've read the man pages, and tested it out, and just want to confirm that what I"m doing is right and that I didn't miss anything. Disable one_pass so that packets after matching pipe rule will continue on to other rules. Without this, packets matching pipes are not not applied again against firewall rules. net.inet.ip.fw.one_pass: 0 I then put the pipe rules before any firewall rules so that anything going in and out (in this case) go through the pipes first. They are then matched by normal firewall rules. 00100 83 11350 pipe 1 ip from any to any out 00200 93 11266 pipe 2 ip from any to any in 00300 0 0 check-state 00400 0 0 deny tcp from any to any established 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-state ... more firewall rules which are being matched =46rom what I can see the pipe rules are being matched. I tested bandwidth controls, and they work. And I also could not access ports which I did have a dynamic rule for (as in 01400). -- FreeBSD 5.2-BETA i386=20 4:56pm up 20:23, 4 users, load averages: 0.99, 0.76, 0.66 --=-xG4cGpYBs8Yy9+L6aBts Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQA/x0+BDAqnLW/+/X8RAs2iAKD6ju00Ck5GLGPLrbM5AycUucMe4wCfTz7A RoXclIC46CT1doqK+oQ/3uE= =/T3N -----END PGP SIGNATURE----- --=-xG4cGpYBs8Yy9+L6aBts--