From owner-freebsd-questions@FreeBSD.ORG Fri Nov 28 14:45:35 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8F5616A4CF for ; Fri, 28 Nov 2003 14:45:35 -0800 (PST) Received: from smtp02.wxs.nl (smtp02.wxs.nl [195.121.6.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD0A143F93 for ; Fri, 28 Nov 2003 14:45:34 -0800 (PST) (envelope-from akruijff@www.kruijff.org) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186])18questions@freebsd.org; Fri, 28 Nov 2003 23:51:06 +0100 (MET) Received: from Alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.9p2/8.12.9) with ESMTP id hASMjccP004106; Fri, 28 Nov 2003 23:45:38 +0100 (CET envelope-from akruijff@Alex.lan) Received: (from akruijff@localhost) by Alex.lan (8.12.9p2/8.12.9/Submit) id hASMjajj004105; Fri, 28 Nov 2003 23:45:37 +0100 (CET envelope-from akruijff) Date: Fri, 28 Nov 2003 23:45:36 +0100 From: Alex de Kruijff In-reply-to: <1070026625.16777.115.camel@wolverine.home.net> To: Khairil Yusof Message-id: <20031128224536.GB815@dds.nl> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.1i References: <1070026625.16777.115.camel@wolverine.home.net> cc: questions@freebsd.org Subject: Re: ipfw pipes + firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 22:45:36 -0000 On Fri, Nov 28, 2003 at 09:37:06PM +0800, Khairil Yusof wrote: > I've read the man pages, and tested it out, and just want to confirm > that what I"m doing is right and that I didn't miss anything. > > Disable one_pass so that packets after matching pipe rule will continue > on to other rules. Without this, packets matching pipes are not not > applied again against firewall rules. > > net.inet.ip.fw.one_pass: 0 > > I then put the pipe rules before any firewall rules so that anything > going in and out (in this case) go through the pipes first. They are > then matched by normal firewall rules. > > 00100 83 11350 pipe 1 ip from any to any out > 00200 93 11266 pipe 2 ip from any to any in > 00300 0 0 check-state > 00400 0 0 deny tcp from any to any established > 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-state > ... more firewall rules which are being matched > > From what I can see the pipe rules are being matched. I tested bandwidth > controls, and they work. And I also could not access ports which I did > have a dynamic rule for (as in 01400). I find your 400 rule very strage. Rule 400 souldn't apply because they are passed by 300 (this one doens't have a counter :( ). For rule 1400 the dst-port is wronly placed. Port are (or can be) given afther the ip without any marker. I would replace 1400 with: allow tcp from any to me 22 in allow tcp from me 22 to any out No need to have dynamic rules here so place it before 300 -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/