IPFW Rule Not As Expected -- SOLVED (keep-state dummynet
traffic shaping pipe queue)
Drew Tomlinson
drew at mykitchentable.net
Thu Apr 10 17:31:45 PDT 2003
----- Original Message -----
From: "Drew Tomlinson" <drew at mykitchentable.net>
To: "FreeBSD Questions" <freebsd-questions at freebsd.org>
Sent: Thursday, April 10, 2003 4:19 AM
Subject: IPFW Rule Not As Expected
> I have a rule that's not working as I expect. Here's an ASCII drawing of
my
> network:
>
>
> ISP
> |
> | Public DHCP address
> |
> 3Com ADSL Modem/Router
> (Router performs NAT)
> | (192.168.10.1)
> |
> |
> | (ed1 192.168.10.2)
> FBSD Gateway
> | (ed0 192.168.1.2)
> |
> |
> Internal LAN
>
> I intend to allow all outgoing traffic on ed1 (192.168.10.2) and create a
> dynamic rule to allow the return traffic with the following rule:
>
> ipfw add allow ip from 192.168.10.2 to any keep-state
>
> However the dynamic rule for the return traffic isn't getting created. It
> is my suspicion that my outgoing traffic is matching a prior rule but I
just
> don't see it. I've included the output of 'ipfw list' to show all of my
> rules.
>
> Can anyone point out my error?
It seems that by default, once traffic is inserted into a 'pipe', it is not
injected back into the firewall. However this is controlled by the sysctl
value 'net.inet.ip.fw.one_pass" which is '1' by default. By setting this
value to '0', the rule set is resumed from the point it was placed in the
pipe. Thus my traffic was going out via an 'add queue' rule and therefore
never creating a dynamic rule via a 'keep-state' rule further down the list.
Now my traffic hits the 'keep-state' rule and all is well.
I have come to this conclusion on my own via reading and testing. If anyone
sees an error in my conclusion, please feel free to set me straight. In
fact, I'd appreciate it! :)
Thanks,
Drew
More information about the freebsd-questions
mailing list