Ipfw accept rule
Nathan Kinkade
nkinkade at ub.edu.bz
Thu Sep 23 08:17:12 PDT 2004
On Thu, Sep 23, 2004 at 01:36:57PM +0545, Bikrant Neupane wrote:
> Thanks for the reply.
> Well I am not looking for the count rule.
>
> Actually I have some other situation. I am trying to implement b/w shaping
> using ipfw. And i am trying to include mac address based filtering in it as
> well. As long as I don't implement ipfw in ether (net.link.ether.ipfw=0/1)
> pkts hit the rule only once and I get the b/w as specified in the IPFW pipe
> syntax. However when I enable ipfw in ether all the pkts hits the matching
> rule twice. and as a result I get half of the b/w to what has been specified
> in ipfw pipe.
> This is normal (as mentiontioned in ipfw man page) since pkt traversal is
> doubled when IPFW is enabed in ether.
>
<snip>
Would the following sysctl variable help your problem?
From the ipfw manpage:
net.inet.ip.fw.one_pass: 1
When set, the packet exiting from the dummynet(4) pipe is not passed
though the firewall again. Otherwise, after a pipe action, the packet
is reinjected into the firewall at the next rule.
Nathan
--
PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=get&search=0xD8527E49
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040923/7ab60ce7/attachment.bin
More information about the freebsd-questions
mailing list