Date: Mon, 28 Nov 2011 14:49:10 -0800 From: Freddie Cash <fjwcash@gmail.com> To: Marek Salwerowicz <marek_sal@wp.pl> Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN , pipes Message-ID: <CAOjFWZ7_FiuFEMk1O70gQhn6UxNYB4pu30LzwyBbeCdLsNN25w@mail.gmail.com> In-Reply-To: <4ED40CF7.2040005@wp.pl> References: <4E412116.1070305@wp.pl> <CAOjFWZ4B3uUfOLAzL=B1WY98rqi6X32j7FM61VjJ3td76NkADg@mail.gmail.com> <4E422A74.3090601@wp.pl> <CAOjFWZ5CK62nQMA8JsfW1b4BQh3hAJbAAynortzaUBqSWBwdSQ@mail.gmail.com> <4E7B450F.5050802@wp.pl> <CAOjFWZ6wf9NnVeffUV4uA6h1t-1T8juxXycZbM7%2BGgpFC-HkUg@mail.gmail.com> <4E84B447.7010509@wp.pl> <CAOjFWZ4XOU2dT3%2BL6AJeUNO7QcC=0ymLXN3GMkzCuoB3a1Qyew@mail.gmail.com> <4E84DE26.6030103@misal.pl> <4E85D8CB.6010104@wp.pl> <CAOjFWZ6xZ5bDcm6aAVvwz47rmYLEqSyKO5Bzg3aQPHS-o98w_w@mail.gmail.com> <4E876705.3040806@wp.pl> <CAOjFWZ7LV3z=22mPLXw-T0W6dJCfVVZ9Q%2Bd%2BKxg1VFdM51eLww@mail.gmail.com> <4ED40CF7.2040005@wp.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Apologies if the formatting below gets messed up, writing this on my phone. On Nov 28, 2011 2:36 PM, "Marek Salwerowicz" <marek_sal@wp.pl> wrote: > I am confused about one thing - I wanted to set up pipes for my DMZ hosts (not to allow my hosts to consume all the bandwidth). > When I set up the pipes at the beginning of my firewall (before configuring the NAT) - the whole traffic is blocked. > When I set up the pipes ad the end of firewall - they don't work (even 'ipfw show' shows no packets coming through 'pipe' rules). > > Where should be the pipe rules placed? This is something I've never really received a satisfactory answer to. I believe you have to put your pipe/queue rules in place of your final allow rules. IOW, the pipe/queue rules are the final rule that a packet touches in the ruleset. For example, for outgoing HTTP traffic, you would allow the packet coming in on the internal interface. Then you NAT the packet as it goes out the external interface. And, finally, you send the NAT'd packet to the pipe/queue, instead of allowing the NAT'd packet out the external interface. However, I have not actually implemented pipes/queue on any of my NAT firewalls, just on my routing firewalls. I have plans to test that at some point this school year. > Does it matter if I do first 'ipfw add pipe 1...' and then 'ipfw pipe 1 config...' ? All of the examples in the man page, handbook, and online show the 'add pipe' rules first, then the 'pipe config' rules. But that seems backward to me. So I always do my 'pipe config' rules first. Afterlife, how do you send a packet to a pipe that doesn't exist yet? :) Freddie fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ7_FiuFEMk1O70gQhn6UxNYB4pu30LzwyBbeCdLsNN25w>