From owner-freebsd-isp@FreeBSD.ORG Thu Sep 23 07:17:42 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A540B16A4D0 for ; Thu, 23 Sep 2004 07:17:42 +0000 (GMT) Received: from cpe3.wifi.albury.net.au (cpe3.wifi.albury.NET.AU [203.42.178.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C77543D54 for ; Thu, 23 Sep 2004 07:17:41 +0000 (GMT) (envelope-from david@albury.net.au) Received: from localhost.alburybf.org (localhost.alburybf.org [127.0.0.1]) i8N7HcTh086857 for ; Thu, 23 Sep 2004 17:17:38 +1000 (EST) (envelope-from david@albury.net.au) Date: Thu, 23 Sep 2004 17:16:14 +1000 (EST) From: David Atkinson X-X-Sender: david@mailgate.alburybf.org To: Bikrant Neupane In-Reply-To: <200409231233.00370.bikrant_ml@wlink.com.np> Message-ID: <20040923165730.E67579@mailgate.alburybf.org> References: <200409231233.00370.bikrant_ml@wlink.com.np> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII ReSent-Date: Thu, 23 Sep 2004 17:17:30 +1000 (EST) Resent-From: David Atkinson Resent-To: freebsd-isp@freebsd.org ReSent-Subject: Re: Ipfw accept rule ReSent-Message-ID: <20040923171730.L67579@mailgate.alburybf.org> Subject: Re: Ipfw accept rule X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 07:17:42 -0000 Are you looking for something like count? The whole idea of an allow rule is that once it matches it is assumed that you actually do want that packet and there is no point continuing through the ruleset. If you want to have a general allow rule with a few specific exclusions, add one or two deny rules for the specific cases and then have your more general allow rule. One problem that does occur with this plan is that it becomes very easy to overload your server with lots of rarely matched deny rules. If you find the time in interupt going too high look at constructing some blocks of rules and setup some skipto rules. In the case of blocking (firewalling off) well known sources of spam, a lot of rules can be generated very quickly. As these only apply to port 25 traffic, as skipto can be used to skip these rules for all other traffic. 1000 skipto 2000 tcp from any to any 25 1100 skipto 4000 ip from any to any 2000 deny ip from spammer.com to any ... HTH, David Atkinson On Thu, 23 Sep 2004, Bikrant Neupane wrote: > Hi, > When a packet hits "allow | accept | pass | permit" rule the packet is > accepted and the search is retiminated at that point. > > I need to accept the packet but still want the packet to continue travers > rules further below. However, once it hits "deny | drop" rule it should be > dropped and the search should terminate at that point. Is that possible with > IPFW? > > regards, > Bikrant > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >