Date: Fri, 10 Nov 2000 10:21:33 +0200 (WET) From: Evren Yurtesen <eyurtese@turkuamk.fi> To: mdg <mdg@madness.secureworks.net> Cc: freebsd-isp@freebsd.org Subject: Re: Is using dummynet and not loosing the firewall functionality possible? Message-ID: <Pine.A41.4.10.10011101016200.58564-100000@bessel.tekniikka.turkuamk.fi> In-Reply-To: <Pine.BSF.4.21.0011091712330.491-100000@madness.secureworks.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes but then the problem is little bit different. I want these people behind ed1 interface to connect everywhere through a pipe with 128Kbit/s but they should be able to reach the X machine with unlimited bandwidth. The solution I found was that I put a rule for X machine and then another rule for the rest of internet. But if I set net.inet.ip.fw.one_pass to 0 then they are caught by both of the pipes and they are always limited with 128Kbit/s pipe (the smaller one) So how can I use firewall rules and pipes and at the same time let my users to connect to some specific machine with unlimited bandwidth? Evren On Thu, 9 Nov 2000, mdg wrote: > you need to set the following sysctl to 0: > > net.inet.ip.fw.one_pass > > > this will keep the search from terminating. i sent in a pr to get this > added to rc.conf many moons ago ... > > > On Thu, 9 Nov 2000, Evren Yurtesen wrote: > > ::: Date: Thu, 09 Nov 2000 23:31:47 +0200 > ::: From: Evren Yurtesen <eyurtese@turkuamk.fi> > ::: To: freebsd-isp@freebsd.org > ::: Subject: Is using dummynet and not loosing the firewall functionality > ::: possible? > ::: > ::: I have a little problem over here. > ::: I have searched the mailing list archives but couldnt find anything > ::: close... I made ipfw,dummynet etc. work perfectly but need a creative > ::: idea of the conf file I should use. I sent this to questions but > ::: somehow nobody knows the answer. > ::: > ::: I want to limit bandwidth over an interface but also I want to use > ::: ipfw's firewall capabilities but the search terminates when ipfw > ::: comes to a pipe command which has a match and firewall rules are > ::: not checked. > ::: > ::: Ok you might say that I can make ipfw continue search after pipe by > ::: setting a variable with sysctl and I did that then then problem is that > ::: I want users behind this firewall box to connect to X machine without > ::: the > ::: bandwidth limit and I put 2 rules first to match for the X machine and > ::: the second rule is to match anything else but however these users are > ::: caught by both of the bandwidth rules if the search doesnt terminate > ::: on the first rule. I can handle this if the ipfw terminates the search > ::: when it finds a rule though but then I cant use ipfw's firewall > ::: capabilities. > ::: > ::: Is this a kind of paradox? any creative ideas? > ::: > ::: Evren > ::: > ::: > ::: To Unsubscribe: send mail to majordomo@FreeBSD.org > ::: with "unsubscribe freebsd-isp" in the body of the message > ::: > > -- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.A41.4.10.10011101016200.58564-100000>