Ipfw accept rule

Bikrant Neupane bikrant_ml at wlink.com.np
Thu Sep 23 23:21:16 PDT 2004


On Thursday 23 September 2004 22:29, Jon Simola wrote:
> On Thu, 23 Sep 2004, Bikrant Neupane wrote:
> > Here is my rule set:
> >
> > #skip dependind the pkt layer
> > 01000   322    14780 skipto 10000 ip from any to any layer2 in via xl0
> > 01100   200    93204 skipto 20000 ip from any to any not layer2
> >
> > #rule num 10000 to 20000 allocated for layer2 filtering
> > #for mac filter: allow only listed mac to send traffic
> > 10000    39     1780 allow ip from any to any MAC any 00:00:0e:84:00:83
> > in via xl0
> > #default deny all mac coming in from xl0
> > 19997   284    13046 deny ip from any to any MAC any any in via xl0
>
> If this is layer2 filtering, where are the layer2 tags in the ipfw rule?
> And if this is the extent of your layer 2, then don't forget an allow/deny
> default for layer2 packets (allow ip from any to any layer2). Also, you're
> only checking your layer2 on a specific interface, perhaps you only have
> one.
>
> I've got something like:
> 00010 skipto 32000 ip from any to any not layer2
> 00050 deny ip from any to any MAC any 00:30:da:00:00:00/24 layer2 in
> 00055 count ip from any to any MAC any 00:0b:db:1d:63:56 layer2 in //
> sniffing for traffic 03100 allow ip from any to any layer2
> // bandwidth monitoring pipes
> 32003 pipe 3 ip from any to any src-ip 10.10.66.0/24 in recv em1
> 32004 pipe 4 ip from any to any dst-ip 10.10.66.0/24 out xmit em1
> 65534 allow ip from any to any
> 65535 deny ip from any to any
>
Well, I have no problem with the MAC filtering rules.
Only problem that I am having is that the pkts hit the matching rule twice as 
a result I get only half of the b/w than that specified in ipfw pipe command.


35004   324   485880 pipe 202 ip from any to 202.79.45.254 out via xl0
35005   302    12080 pipe 203 ip from 202.79.45.254 to any out via em0

Isn't there a way to construct rules such that matching pkts hit the rule only 
once?

regards,
Bikrant





>
> ---
> Jon Simola <jon at abccom.bc.ca> | "In the near future - corporate networks
>     Systems Administrator     |  reach out to the stars, electrons and
> light ABC  Communications      |  flow throughout the universe." -- GITS
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"


More information about the freebsd-isp mailing list