From owner-freebsd-net@FreeBSD.ORG Mon Aug 16 10:24:22 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2372616A4CE for ; Mon, 16 Aug 2004 10:24:22 +0000 (GMT) Received: from mproxy.gmail.com (mproxy.gmail.com [216.239.56.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F28B43D2F for ; Mon, 16 Aug 2004 10:24:22 +0000 (GMT) (envelope-from galaxy.ranger@gmail.com) Received: by mproxy.gmail.com with SMTP id u15so29918cwc for ; Mon, 16 Aug 2004 03:24:18 -0700 (PDT) Received: by 10.11.120.22 with SMTP id s22mr74052cwc; Sun, 15 Aug 2004 13:57:38 -0700 (PDT) Message-ID: <4a1299a4040815135735626471@mail.gmail.com> Date: Sun, 15 Aug 2004 13:57:30 -0700 From: Fargo Holiday To: freebsd-net@freebsd.org In-Reply-To: <20040815191905.GC43915@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <4a1299a404081414287a9ecbc@mail.gmail.com> <20040815104243.GA43915@shellma.zin.lublin.pl> <4a1299a4040815113178caa332@mail.gmail.com> <20040815191905.GC43915@shellma.zin.lublin.pl> Subject: Re: [FreeBSD 5.2] Bandwith and packet throttling X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Fargo Holiday List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Aug 2004 10:24:22 -0000 Thank you greatly everyone, derision aside, and especially Pawel. The deny loopback is strange, I assume my roommate put that in there or it is a strange default rule. And, to be honest, when I looked at the man page, I didn't see any indication that a successful rule match halted the pattern search, and in fact the last firewall/routing solution I used was some bastard piece of software running a Solaris machine. I don't recall the name of it, but let's just say the experience doesn't carry over to this layout. Here is what I saw in the man page, and why it didn't occur to me that the rule placement was important: "An ipfw configuration, or ruleset, is made of a list of rules numbered from 1 to 65535. Packets are passed to ipfw from a number of different places in the protocol stack (depending on the source and destination of the packet, it is possible that ipfw is invoked multiple times on the same packet). The packet passed to the firewall is compared against each of the rules in the firewall ruleset. When a match is found, the action corresponding to the matching rule is performed." and a little later: " Also note that each packet is always checked against the complete rule- set, irrespective of the place where the check occurs, or the source of the packet." Though I did initially overlook this part: "Depending on the action and certain system settings, packets can be rein- jected into the firewall at some rule after the matching one for further processing." Which vaguely implys such a thing, I never came across a section that mentioned this behavior of exiting after a match. Anyway, thanks again y'all, I truly appreciate it.