From owner-freebsd-questions@FreeBSD.ORG Thu Apr 10 17:31:44 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D06CA37B401 for ; Thu, 10 Apr 2003 17:31:44 -0700 (PDT) Received: from blacklamb.mykitchentable.net (65-73-147-38.bras01.elk.ca.frontiernet.net [65.73.147.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AB7F43FAF for ; Thu, 10 Apr 2003 17:31:44 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from bigdaddy (bigdaddy [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 82C64EE627; Thu, 10 Apr 2003 17:31:43 -0700 (PDT) Message-ID: <00f001c2ffc1$ba1cdd20$0301a8c0@bigdaddy> From: "Drew Tomlinson" To: "Drew Tomlinson" , "FreeBSD Questions" References: <000901c2ff53$16f30930$0301a8c0@bigdaddy> Date: Thu, 10 Apr 2003 17:31:43 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: IPFW Rule Not As Expected -- SOLVED (keep-state dummynet traffic shaping pipe queue) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2003 00:31:45 -0000 ----- Original Message ----- From: "Drew Tomlinson" To: "FreeBSD Questions" Sent: Thursday, April 10, 2003 4:19 AM Subject: IPFW Rule Not As Expected > I have a rule that's not working as I expect. Here's an ASCII drawing of my > network: > > > ISP > | > | Public DHCP address > | > 3Com ADSL Modem/Router > (Router performs NAT) > | (192.168.10.1) > | > | > | (ed1 192.168.10.2) > FBSD Gateway > | (ed0 192.168.1.2) > | > | > Internal LAN > > I intend to allow all outgoing traffic on ed1 (192.168.10.2) and create a > dynamic rule to allow the return traffic with the following rule: > > ipfw add allow ip from 192.168.10.2 to any keep-state > > However the dynamic rule for the return traffic isn't getting created. It > is my suspicion that my outgoing traffic is matching a prior rule but I just > don't see it. I've included the output of 'ipfw list' to show all of my > rules. > > Can anyone point out my error? It seems that by default, once traffic is inserted into a 'pipe', it is not injected back into the firewall. However this is controlled by the sysctl value 'net.inet.ip.fw.one_pass" which is '1' by default. By setting this value to '0', the rule set is resumed from the point it was placed in the pipe. Thus my traffic was going out via an 'add queue' rule and therefore never creating a dynamic rule via a 'keep-state' rule further down the list. Now my traffic hits the 'keep-state' rule and all is well. I have come to this conclusion on my own via reading and testing. If anyone sees an error in my conclusion, please feel free to set me straight. In fact, I'd appreciate it! :) Thanks, Drew