Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 28 Nov 2011 14:49:10 -0800
From:      Freddie Cash <fjwcash@gmail.com>
To:        Marek Salwerowicz <marek_sal@wp.pl>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfw - accessing DMZ from LAN , pipes
Message-ID:  <CAOjFWZ7_FiuFEMk1O70gQhn6UxNYB4pu30LzwyBbeCdLsNN25w@mail.gmail.com>
In-Reply-To: <4ED40CF7.2040005@wp.pl>
References:  <4E412116.1070305@wp.pl> <CAOjFWZ4B3uUfOLAzL=B1WY98rqi6X32j7FM61VjJ3td76NkADg@mail.gmail.com> <4E422A74.3090601@wp.pl> <CAOjFWZ5CK62nQMA8JsfW1b4BQh3hAJbAAynortzaUBqSWBwdSQ@mail.gmail.com> <4E7B450F.5050802@wp.pl> <CAOjFWZ6wf9NnVeffUV4uA6h1t-1T8juxXycZbM7%2BGgpFC-HkUg@mail.gmail.com> <4E84B447.7010509@wp.pl> <CAOjFWZ4XOU2dT3%2BL6AJeUNO7QcC=0ymLXN3GMkzCuoB3a1Qyew@mail.gmail.com> <4E84DE26.6030103@misal.pl> <4E85D8CB.6010104@wp.pl> <CAOjFWZ6xZ5bDcm6aAVvwz47rmYLEqSyKO5Bzg3aQPHS-o98w_w@mail.gmail.com> <4E876705.3040806@wp.pl> <CAOjFWZ7LV3z=22mPLXw-T0W6dJCfVVZ9Q%2Bd%2BKxg1VFdM51eLww@mail.gmail.com> <4ED40CF7.2040005@wp.pl>

next in thread | previous in thread | raw e-mail | index | archive | help
Apologies if the formatting below gets messed up, writing this on my phone.

On Nov 28, 2011 2:36 PM, "Marek Salwerowicz" <marek_sal@wp.pl> wrote:
> I am confused about one thing - I wanted to set up pipes for my DMZ hosts
(not to allow my hosts to consume all the bandwidth).
> When I set up the pipes at the beginning of my firewall (before
configuring the NAT) - the  whole traffic is blocked.
> When I set up the pipes ad the end of firewall - they don't work (even
'ipfw show' shows no packets coming through 'pipe' rules).
>
> Where should be the pipe rules placed?

This is something I've never really received a satisfactory answer to. I
believe you have to put your pipe/queue rules in place of your final allow
rules. IOW, the pipe/queue rules are the final rule that a packet touches
in the ruleset.

For example, for outgoing HTTP traffic, you would allow the packet coming
in on the internal interface. Then you NAT the packet as it goes out the
external interface. And, finally, you send the NAT'd packet to the
pipe/queue, instead of allowing the NAT'd packet out the external interface.

However, I have not actually implemented pipes/queue on any of my NAT
firewalls, just on my routing firewalls. I have plans to test that at some
point this school year.

> Does it matter if I do first 'ipfw add pipe 1...' and then 'ipfw pipe 1
config...' ?

All of the examples in the man page,  handbook, and online show the 'add
pipe' rules first, then the 'pipe config' rules. But that seems backward to
me. So I always do my 'pipe config' rules first. Afterlife, how do you send
a packet to a pipe that doesn't exist yet? :)

Freddie
fjwcash@gmail.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ7_FiuFEMk1O70gQhn6UxNYB4pu30LzwyBbeCdLsNN25w>