Queue and rules

Willie Viljoen will at unfoldings.net
Sun Dec 14 05:50:06 PST 2003 

Sorry, that should have been:

sysctl net.inet.ip.fw.one_pass=0

Also, to make it stick after a reboot:

echo net.inet.ip.fw.one_pass=0 >> /etc/sysctl.conf

Will
----- Original Message -----
From: "Willie Viljoen" <will at unfoldings.net>
To: <cole at acenet.co.za>; <freebsd-ipfw at freebsd.org>
Sent: Sunday, December 14, 2003 3:47 PM
Subject: Re: Queue and rules


> sysctl net.inet.ip.fw.one_pass=1
>
> :-)
>
> ----- Original Message -----
> From: "Cole" <cole at acenet.co.za>
> To: <freebsd-ipfw at freebsd.org>
> Sent: Sunday, December 14, 2003 3:52 PM
> Subject: Queue and rules
>
>
> > Hi
> >
> > I have setup the following queues and pipes.#pipes
> > $fwcmd pipe 1 config bw 3kbyte/s queue 0.5kbyte
> > $fwcmd pipe 2 config bw 128kbits/s queue 5Kbyte #outgoing
> > $fwcmd pipe 3 config bw 128kbits/s queue 5Kbyte #incoming
> > $fwcmd pipe 4 config bw 64kbits/s queue 5Kbyte #outgoing
> > $fwcmd pipe 5 config bw 64kbits/s queue 5Kbyte #incoming
> >
> > #queues
> > $fwcmd queue 1 config pipe 2 weight 100 queue 10  #outgoing
> > $fwcmd queue 2 config pipe 2 weight 50 queue 10   #outgoing
> > $fwcmd queue 3 config pipe 3 weight 100 queue 10  #incoming
> > $fwcmd queue 4 config pipe 3 weight 50 queue 10   #incoming
> >
> > I have also added the following 2 rules using the queues 1 and 3.
> >
> > 00202 queue 1 tcp from me to 196.34.*.* out via tun0
> > 00203 queue 3 tcp from 196.34.*.* to me in via tun0
> >
> > I put the *'s in just privacy sake, i have the full ip entered in the
> rules.
> >
> > Now i wanted to block certain ports like ssh to or from that ip. I added
> the rule below rules 202 and 203, and no matter if i specify, deny all,
deny
> tcp and the port, i can still get to those ports. I.e. if i add "ipfw add
> 205 deny tcp from me to 196.34.*.* 22" it will still allow me to connect.
> >
> > I was wondering if its cause of the queue rules matching first and not
> bothering to check the rest. If this is the problem how do i do bandwidth
> shaping and then still use blocking/deny rules below those queue rules.
> > Of if there is another problem that im not seeing or missing, or a
> solution that you know might work, please let me know.
> > Im not subscribed to the mailing list so please reply to
cole at acenet.co.za
> .
> >
> > Thanx
> > /Cole
> >
> >
> > _______________________________________________
> > freebsd-ipfw at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> >
> >
>

More information about the freebsd-ipfw mailing list