From owner-freebsd-net Thu Feb 13 1:24:16 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 125A137B401 for ; Thu, 13 Feb 2003 01:24:15 -0800 (PST) Received: from relay1.ntu-kpi.kiev.ua (www.ntu-kpi.kiev.ua [212.111.192.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D82A43FB1 for ; Thu, 13 Feb 2003 01:24:09 -0800 (PST) (envelope-from simon@comsys.ntu-kpi.kiev.ua) Received: by relay1.ntu-kpi.kiev.ua (Postfix, from userid 426) id C1C6519B8C; Thu, 13 Feb 2003 11:23:52 +0200 (EET) Received: from comsys.ntu-kpi.kiev.ua (eth0.comsys.ntu-kpi.kiev.ua [10.0.1.184]) by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP id CB71219B83; Thu, 13 Feb 2003 11:23:51 +0200 (EET) Received: from pm514-9.comsys.ntu-kpi.kiev.ua (pm514-9.comsys.ntu-kpi.kiev.ua [10.18.54.109]) by comsys.ntu-kpi.kiev.ua (8.11.6/8.11.6) with ESMTP id h1D9SHf11184; Thu, 13 Feb 2003 11:28:17 +0200 (EET) Received: from pm514-9.comsys.ntu-kpi.kiev.ua (localhost [127.0.0.1]) by pm514-9.comsys.ntu-kpi.kiev.ua (8.12.6/8.12.6) with ESMTP id h1D9NLGW000378; Thu, 13 Feb 2003 11:23:21 +0200 (EET) (envelope-from simon@pm514-9.comsys.ntu-kpi.kiev.ua) Received: (from simon@localhost) by pm514-9.comsys.ntu-kpi.kiev.ua (8.12.6/8.12.6/Submit) id h1D9NGrH000377; Thu, 13 Feb 2003 11:23:16 +0200 (EET) Date: Thu, 13 Feb 2003 11:23:16 +0200 (EET) Message-Id: <200302130923.h1D9NGrH000377@pm514-9.comsys.ntu-kpi.kiev.ua> From: Andrey Simonenko To: Andrea Venturoli Cc: freebsd-net@freebsd.org Subject: Re: ipfw: count=pass? In-Reply-To: <200302121602.h1CG2n4h002384@soth.ventu.lucky.freebsd.net> X-Newsgroups: lucky.freebsd.net User-Agent: tin/1.5.12-20020427 ("Sugar") (UNIX) (FreeBSD/4.7-STABLE (i386)) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 12 Feb 2003 16:02:37 +0000 (UTC) in lucky.freebsd.net, Andrea Venturoli wrote: > Hello! > I've tried to block users from surfing the web, once they have moved > a certain amount of traffic per week. I put a series of "count" rules > in ipfw and let cron call a script every 5 minutes to read the > associeted byte counter and possibly insert "deny" rules *after* the > count rules. There is ports/sysutils/ipa for such kind of work. > The problem is that the traffic still goes through: the counters of the > deny rules are all 0, as though they were never reached. > ipfw's manual page states that after a count the packet goes ahead in > the rule chain as if nothing has happened, but at this points I'm > beginning to wonder wether this is true or wether the count rules also > allow traffic through as if they were "pass". > This on FreeBSD 4.7-p3. > If the counter of some IPFW rule is always 0, then this means that this rule is not reached (you are right here). After "count" rule the search continues with the next rule (with the same number or with the next number, at least this is true for IPFW1, check it). You should find "allow" rule before "deny" rule which allows some traffic. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message