From owner-freebsd-questions  Thu Jul 10 09:42:11 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id JAA10891
          for questions-outgoing; Thu, 10 Jul 1997 09:42:11 -0700 (PDT)
Received: from gatekeeper.barcode.co.il (gatekeeper.barcode.co.il [192.116.93.17])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA10879
          for <questions@FreeBSD.ORG>; Thu, 10 Jul 1997 09:41:57 -0700 (PDT)
Received: (from nadav@localhost) by gatekeeper.barcode.co.il (8.8.5/8.6.12) id TAA05284; Thu, 10 Jul 1997 19:40:13 +0300 (IDT)
Date: Thu, 10 Jul 1997 19:40:12 +0300 (IDT)
From: Nadav Eiron <nadav@barcode.co.il>
To: Cliff Addy <fbsdlist@federation.addy.com>
cc: questions@FreeBSD.ORG
Subject: Re: ipfw
In-Reply-To: <Pine.BSF.3.95q.970710103859.7752A-100000@federation.addy.com>
Message-ID: <Pine.BSF.3.91.970710193831.5239A-100000@gatekeeper.barcode.co.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk



On Thu, 10 Jul 1997, Cliff Addy wrote:

> I've successfully compiled firewall support into the kernel and used ipfw
> to set up some rules.  I have two questions:
> 
> 1)  What is the best way to invoke ipfw rules at boot time?  Since the
> default condition is allow nothing, it breaks nfs, web servers, etc.  I
> presume it has something to do with rc.conf's "firewall" setting, but I've
> not been able to find any documentation on the appropriate values (other
> than "NO").  I'd like to have ipfw load up the rules from a file as early
> in the boot process as possible.

Set take a look at /etc/rc.firewall

> 
> 2) We have several aliased ip addresses on the network card.  The whole
> point of this is to measure the traffic on each ip address separately.
> I've tried adding rules like
> 
>     allow all from any to 207.239.68.3
>     allow all from 207.239.68.3 to any
> 
> and can get stats from ipfw on byte/packet counts for each of these rules. 
> My question is:  Does adding the byte counts accurately tell me all the
> bandwidth being used by that ip address, including packet headers, etc?
> Or am I doing this all wrong?

AFAIK it should. It counts the number and size of IP packets. That's 
about as low as you can get (it doesn't count Ethernet/IEEE 802.3 
headers, but these are rarely of any interest)

> 
> 
> 
> 
Nadav