IPFW Dummynet Bridge Limiting
vladone
vladone at spaingsm.com
Fri Jul 14 09:23:10 UTC 2006
Hello vladone,
Friday, July 14, 2006, 12:21:09 PM, you wrote:
> Hello Adam,
> Thursday, July 13, 2006, 2:37:19 AM, you wrote:
>> Vladone,
>> Thanks much for the response. I looked into what you were
>> telling me and here are the results:
>> 1) This wasn't a typo. Apparently, after looking into it, I've seen both
>> options used on different websites and setups. Either way though, I
>> checked these both with sysctl and they are both set to 1.
>> 2) I missed that part of the man page and thanks for clarifying. This is
>> where I get confused. Am I using DIVERT to get packets to the proper
>> pipe? If so, then how can I get it to work properly with many many many
>> rules (one for each customer IP)? If not, then does this option really
>> matter?
>> 3) This part I did read and I'm still slightly confused. Once placed
>> into the proper pipe, I don't want it to continue down the line of rules
>> to search for another match. I like it where it is because it matched
>> the IP and should be limited, correct?
>> Also, I have tried my setup with the one_pass variable on and off.
>> Neither way worked for me anyways.
>> Upon further investigation, I noticed when I set up my laptop with the
>> 216.19.50.37 address and add the rule to match "all" to the pipe, I lose
>> all connectivity. I am unable to ping or pull web pages. Somehow, I
>> originally thought the problem was that there was no limiting going on.
>> This must be because I had a ping running in the background and had the
>> rule set up to limit ip. Now I think what is happening is the packets
>> are getting dropped or not arriving at the destination like they're
>> supposed to.
>> Thanks again.
>> Adam
>> -----Original Message-----
>> From: owner-freebsd-ipfw at freebsd.org
>> [mailto:owner-freebsd-ipfw at freebsd.org] On Behalf Of vladone
>> Sent: Wednesday, July 12, 2006 3:48 PM
>> To: ipfw at freebsd.org
>> Subject: Re: IPFW Dummynet Bridge Limiting
>> Hello Adam,
>> I dont't use it bridge but some thinks that can help u:
>> 1. use corect syctl variables form: net.link.ether.bridge.ipfw
>> instead net.link.ether.bridge_ipfw (probably an wrong typing)
>> 2. read the end from man page about bridge, and
>> net.inet.ip.fw.one_pass variable.
>> "Also remember that bridged packets are accepted after the first pass
>> through the firewall irrespective of the setting of the sysctl
>> variable
>> net.inet.ip.fw.one_pass, and that some ipfw(8) actions such as
>> divert do
>> not apply to bridged packets. It might be useful to have a rule of
>> the
>> form
>> skipto 20000 ip from any to any bridged
>> "
>> 3. Luigi Rizzo say in his
>> documentation: "there is always one pass for bridged packets"
> First: if u want to apply aan queue or pipe, for many IP's, u can use option mask
> in pipe or queue. U can get examples about that in dummynet
> documentation.
> For bridge, try to use "bridge" option in ipfw rules, to match packtets
> that are bridged.
> If u want to pass packetes across multiple pipe or queue, then need
> to set net.inet.ip.fw.one_pass=0
> For clients that have public IP's, natd have an option to not
> translate this adresses.
> Recomandation:
> Begin with very simple rules, without any pipe or queue, only count
> option, and see what is happening. Then grow complexity, in this mode
> u can find where u wrong.
Sorry, for my mistake, option for ipfw is named "bridged".
--
Best regards,
vladone mailto:vladone at spaingsm.com
More information about the freebsd-ipfw
mailing list