Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Jun 2002 07:28:39 -0700 (PDT)
From:      Walid Nehme <walidn@yahoo.com>
To:        freebsd questions <freebsd-questions@freebsd.org>
Subject:   problem with Bridge, dummynet, ipfw.
Message-ID:  <20020603142839.88471.qmail@web10003.mail.yahoo.com>
index | next in thread | raw e-mail 

Dear Sirs.
I configured a bridge today, as follows.
cp /usr/src/sys/i386/conf/GENERIC Firewall
and added there the lines :
options 	IPFIREWALL		#firewall
options 	IPFIREWALL_VERBOSE	#enable logging to 
options 	IPFIREWALL_FORWARD	#enable transparent 
options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit
options 	DUMMYNET
options 	BRIDGE
options 	HZ=10
options 	NMBCLUSTERS=8192

then config firewall, then cd ../../compile/firewall
make depend, make , make installed.
In file sysctl.conf add
net.link.ether.bridge_cfg=rl0:0;rl1:0
net.link.ether.bridge=1
net.link.ether.bridge_ipfw=1
net.inet.ip.fw.one_pass=0 #i need this for traf shapping.
net.inet.ip.fw.enable=1

and put in my firewall ruels the following.
I enforce rate limiting on each host in my network
individually? I want  to enforce an upstream limit of
64Kbit/s and a downstream of 384Kbit/s for  each host; in
addition, I want to disallow all external hosts from
initiating  connexions with the hosts on my network so that
no one can run any  servers.

pipe 10 config mask  src-ip 0x000000ff bw 64kbit/s queue
8Kbytes 
pipe 20 config mask dst-ip  0x000000ff bw 384kbit/s queue
8Kbytes
add 100 deny icmp from any to  12.18.123.0/24 in via xl0
icmptypes 8
add 110 check-state
add 1000 pipe 10  all from 12.18.123.0/24 to any out via
xl0
add 1100 pipe 20 all from any to  12.18.123.0/24 in via xl0
add 1200 allow tcp from 12.18.123.0/24 to any out  via xl0
setup
keep-state
add 1200 allow udp from 12.18.123.0/24 to any out  via xl0
keep-state
add 1300 allow icmp from 12.18.123.0/24 to any out 
icmptypes 8
keep-state 
add 65535 deny all from any to  any

In the resault i get the following error message in a huge
number on the console:
--loop(0) macaddress to rl0 from rl1 (active)
--loop(1) same macaddress to rl1 from rl0 (active)
/kernel: --loop(0) macaddress to rl0 from rl1(active)
/kernel: --loop(1) same macaddress to rl1 from rl0 (active)
    
and the bridge didnt work. i couldnt ping anything or surf
the internet. Then i tried with open firewall adding 
add 100 pass all from any to any .
and i get the same resault.
CAN ANY ONE HELP?



=====
Regards.
Walid Nehme
ICQ:5855336 
MSN:nastylid@hotmail.com
"The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet"

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020603142839.88471.qmail>