ipfw & skipto.... confused a bit...

Ian FREISLICH if at hetzner.co.za
Fri Aug 13 00:39:51 PDT 2004 

"Chris Knipe" wrote:
> > >  #######################################################################
> > >  #### Transparent Services                                           ###
> > >  #######################################################################
> > >  ${fwcmd} add 16000 allow tcp from ${LANIP} to any 25 out via tun1 skipto
> > > 16010
> >
> > I thought that you had to use skipto as the action, not the rule body:
> >
> > ${fwcmd} add 16000 skipto 16010 tcp from ${LANIP} to any 25 out via tun1
> 
> Yes.  That is correct.  However, that will only skip of the rule matches vs.
> a simple allow statement.  How do you match a skipto if you are not allowing
> traffic, but queueing / denying / forwarding it??

I think you're thinking about the skipto rule in the wrong way.
It's more of a conditional branch.

Here's how I use the skipto with dummynet and NAT:
(net.inet.ip.fw.one_pass=0)

# Outgoing queues
pipe 1 config bw 256Kbits/s queue 10
queue 11 config pipe 1 weight 9 queue 10
queue 12 config pipe 1 weight 1 queue 10
queue 13 config pipe 1 weight 2 queue 10
queue 14 config pipe 1 weight 3 queue 10
queue 15 config pipe 1 weight 1 queue 10

# Incoming queues
pipe 2 config bw 256Kbits/s queue 10
queue 21 config pipe 2 weight 9 queue 10
queue 22 config pipe 2 weight 1 queue 10
queue 23 config pipe 2 weight 2 queue 10
queue 24 config pipe 2 weight 3 queue 10
queue 25 config pipe 2 weight 1 queue 10

00600 skipto 700 ip from any to $DMZ out via rl1
00610 queue 11 tcp from any to $OUR_HOSTS dst-port 80,443 out via rl1
00610 skipto 700 tcp from any to $OUR_HOSTS dst-port 80,443 out via rl1
00620 queue 12 { tcp or udp } from any to any dst-port 53 out via rl1
00620 skipto 700 { tcp or udp } from any to any dst-port 53 out via rl1
00630 queue 13 { tcp or udp } from any to any dst-port 143 out via rl1
00630 skipto 700 { tcp or udp } from any to any dst-port 143 out via rl1
00640 queue 14 tcp from any to any dst-port 22 out via rl1
00640 skipto 700 tcp from any to any dst-port 22 out via rl1
00650 queue 15 ip from any to any out via rl1

00700 divert 8668 ip from any to any via rl1
00705 skipto 800 ip from $DMZ to any in via rl1

00710 queue 21 tcp from $OUR_HOSTS 80,443 to any in via rl1
00710 skipto 800 tcp from $OUR_HOSTS 80,443 to any in via rl1
00720 queue 22 { tcp or udp } from any 53 to any in via rl1
00720 skipto 800 { tcp or udp } from any 53 to any in via rl1
00730 queue 23 { tcp or udp } from any 143 to any in via rl1
00730 skipto 800 { tcp or udp } from any 143 to any in via rl1
00740 queue 24 tcp from any 22 to any in via rl1
00740 skipto 800 tcp from any 22 to any in via rl1
00750 queue 25 ip from any to any in via rl1
00850 allow tcp from me to 196.7.162.29 dst-port 9000

Ian

--
Ian Freislich

More information about the freebsd-ipfw mailing list