Date: Fri, 23 Apr 2004 13:31:10 +0200 From: Alex de Kruijff <freebsd@akruijff.dds.nl> To: Marcelo Pinheiro <marcelo@wavenet.com.br> Cc: freebsd-questions@freebsd.org Subject: Re: Dummynet+Firewall+One_pass question Message-ID: <20040423113110.GC24076@alex.lan> In-Reply-To: <FFEAIMBODLFHMMJPBLEPCEFFCOAA.marcelo@wavenet.com.br> References: <20040422190101.B04F216A4CE@hub.freebsd.org> <FFEAIMBODLFHMMJPBLEPCEFFCOAA.marcelo@wavenet.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 22, 2004 at 04:25:53PM -0300, Marcelo Pinheiro wrote:
> Hi,
>
> I am very new to FreeBSD, and I have a quite simple question: How does IPFW
> work when I use PIPES, divert and some other Firewall rules?
> What does net.inet.ip.fw.one_pass mean? For instance, if I use a pipe before
> a divert with one_pass set to 1, the packet passes through the pipe, but
> does not pass through the divert and that makes total sense. However if I
> set one_pass to 1 and set the pipe after the divert using the internal IP
> address ( RFC 1918 ) it works.... that does not make any sense, at least to
> me. :)
man ipfw gives me:
pipe pipe_nr
Pass packet to a dummynet(4) ``pipe'' (for bandwidth
limitation, delay, etc.). See the TRAFFIC SHAPER (DUMMYNET)
CONFIGURATION Section for further information. The search terminates;
however, on exit from the pipe and if the sysctl(8) variable
net.inet.ip.fw.one_pass is not set, the packet is passed again to the
firewall code starting from the next rule.
> Here are some sample rules:
>
> # INTERNAL NETWORK
> ${fwcmd} pipe 1000 config bw 1024Kbit/s
> ${fwcmd} pipe 1001 config bw 1024Kbit/s
>
> ${fwcmd} add divert natd all from 10.0.0.0/8 to any
> ${fwcmd} add divert natd all from any to 200.x.x.x
>
> ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
> ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8
>
> If I set the way above, it works fine, even if the one_pass is set to 1 (
> one ). The divert changes the packet header to my external IP, and my real
> question is: How in the world the pipe works if the header is changed to
> 200, instead of 10?
>
> THIS WAY IT DOES NOT WORK WITH ONE_PASS SET TO 1, it passes through the
> pipe, but does not pass through the divert:
>
> # INTERNAL NETWORK
> ${fwcmd} pipe 1000 config bw 1024Kbit/s
> ${fwcmd} pipe 1001 config bw 1024Kbit/s
>
> ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
> ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8
>
> ${fwcmd} add divert natd all from 10.0.0.0/8 to any
> ${fwcmd} add divert natd all from any to 200.x.x.x
>
> I deeply appreciate any ideas.
Thats because the packes that meet the pipe rules are also allowed and
thus never meet the divert rule.
--
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040423113110.GC24076>