From owner-freebsd-questions@FreeBSD.ORG Fri Apr 11 20:02:14 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C09C37B401 for ; Fri, 11 Apr 2003 20:02:14 -0700 (PDT) Received: from blacklamb.mykitchentable.net (65-73-147-38.bras01.elk.ca.frontiernet.net [65.73.147.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC16A43FDF for ; Fri, 11 Apr 2003 20:02:13 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from bigdaddy (bigdaddy [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 42960EE627 for ; Fri, 11 Apr 2003 20:02:13 -0700 (PDT) Message-ID: <003501c3009f$eaa1d3e0$0301a8c0@bigdaddy> From: "Drew Tomlinson" To: "FreeBSD Questions" Date: Fri, 11 Apr 2003 20:02:13 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: IPFW Rule Not As Expected -- SOLVED (keep-state dummynet traffic shaping pipe queue) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2003 03:02:14 -0000 ----- Original Message ----- From: "Drew Tomlinson" To: "FreeBSD Questions" Sent: Thursday, April 10, 2003 4:19 AM > I have a rule that's not working as I expect. Here's an ASCII drawing of my > network: > > > ISP > | > | Public DHCP address > | > 3Com ADSL Modem/Router > (Router performs NAT) > | (192.168.10.1) > | > | > | (ed1 192.168.10.2) > FBSD Gateway > | (ed0 192.168.1.2) > | > | > Internal LAN > > I intend to allow all outgoing traffic on ed1 (192.168.10.2) and create a > dynamic rule to allow the return traffic with the following rule: > > ipfw add allow ip from 192.168.10.2 to any keep-state > > However the dynamic rule for the return traffic isn't getting created. It > is my suspicion that my outgoing traffic is matching a prior rule but I just > don't see it. I've included the output of 'ipfw list' to show all of my > rules. > > Can anyone point out my error? It seems that by default, once traffic is inserted into a 'pipe', it is not injected back into the firewall. However this is controlled by the sysctl value 'net.inet.ip.fw.one_pass" which is '1' by default. By setting this value to '0', the rule set is resumed from the point it was placed in the pipe. Thus my traffic was going out via an 'add queue' rule and therefore never creating a dynamic rule via a 'keep-state' rule further down the list. Now my traffic hits the 'keep-state' rule and all is well. I have come to this conclusion on my own via reading and testing. If anyone sees an error in my conclusion, please feel free to set me straight. In fact, I'd appreciate it! :) Thanks, Drew