Date: Fri, 28 Nov 2003 21:37:06 +0800 From: Khairil Yusof <kaeru@pd.jaring.my> To: questions@freebsd.org Subject: ipfw pipes + firewall Message-ID: <1070026625.16777.115.camel@wolverine.home.net>
next in thread | raw e-mail | index | archive | help
--=-xG4cGpYBs8Yy9+L6aBts Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I've read the man pages, and tested it out, and just want to confirm that what I"m doing is right and that I didn't miss anything. Disable one_pass so that packets after matching pipe rule will continue on to other rules. Without this, packets matching pipes are not not applied again against firewall rules. net.inet.ip.fw.one_pass: 0 I then put the pipe rules before any firewall rules so that anything going in and out (in this case) go through the pipes first. They are then matched by normal firewall rules. 00100 83 11350 pipe 1 ip from any to any out 00200 93 11266 pipe 2 ip from any to any in 00300 0 0 check-state 00400 0 0 deny tcp from any to any established 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-state ... more firewall rules which are being matched =46rom what I can see the pipe rules are being matched. I tested bandwidth controls, and they work. And I also could not access ports which I did have a dynamic rule for (as in 01400). -- FreeBSD 5.2-BETA i386=20 4:56pm up 20:23, 4 users, load averages: 0.99, 0.76, 0.66 --=-xG4cGpYBs8Yy9+L6aBts Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQA/x0+BDAqnLW/+/X8RAs2iAKD6ju00Ck5GLGPLrbM5AycUucMe4wCfTz7A RoXclIC46CT1doqK+oQ/3uE= =/T3N -----END PGP SIGNATURE----- --=-xG4cGpYBs8Yy9+L6aBts--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1070026625.16777.115.camel>