Date: Thu, 10 Apr 2003 17:31:43 -0700 From: "Drew Tomlinson" <drew@mykitchentable.net> To: "Drew Tomlinson" <drew@mykitchentable.net>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: Re: IPFW Rule Not As Expected -- SOLVED (keep-state dummynet traffic shaping pipe queue) Message-ID: <00f001c2ffc1$ba1cdd20$0301a8c0@bigdaddy> References: <000901c2ff53$16f30930$0301a8c0@bigdaddy>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Drew Tomlinson" <drew@mykitchentable.net> To: "FreeBSD Questions" <freebsd-questions@freebsd.org> Sent: Thursday, April 10, 2003 4:19 AM Subject: IPFW Rule Not As Expected > I have a rule that's not working as I expect. Here's an ASCII drawing of my > network: > > > ISP > | > | Public DHCP address > | > 3Com ADSL Modem/Router > (Router performs NAT) > | (192.168.10.1) > | > | > | (ed1 192.168.10.2) > FBSD Gateway > | (ed0 192.168.1.2) > | > | > Internal LAN > > I intend to allow all outgoing traffic on ed1 (192.168.10.2) and create a > dynamic rule to allow the return traffic with the following rule: > > ipfw add allow ip from 192.168.10.2 to any keep-state > > However the dynamic rule for the return traffic isn't getting created. It > is my suspicion that my outgoing traffic is matching a prior rule but I just > don't see it. I've included the output of 'ipfw list' to show all of my > rules. > > Can anyone point out my error? It seems that by default, once traffic is inserted into a 'pipe', it is not injected back into the firewall. However this is controlled by the sysctl value 'net.inet.ip.fw.one_pass" which is '1' by default. By setting this value to '0', the rule set is resumed from the point it was placed in the pipe. Thus my traffic was going out via an 'add queue' rule and therefore never creating a dynamic rule via a 'keep-state' rule further down the list. Now my traffic hits the 'keep-state' rule and all is well. I have come to this conclusion on my own via reading and testing. If anyone sees an error in my conclusion, please feel free to set me straight. In fact, I'd appreciate it! :) Thanks, Drew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00f001c2ffc1$ba1cdd20$0301a8c0>