Ipfw accept rule
Alex de Kruijff
freebsd at akruijff.dds.nl
Thu Sep 23 18:45:26 PDT 2004
On Thu, Sep 23, 2004 at 09:10:49AM -0600, Nathan Kinkade wrote:
> On Thu, Sep 23, 2004 at 01:36:57PM +0545, Bikrant Neupane wrote:
> > Thanks for the reply.
> > Well I am not looking for the count rule.
> > Actually I have some other situation. I am trying to implement b/w shaping
> > using ipfw. And i am trying to include mac address based filtering in it as
> > well. As long as I don't implement ipfw in ether (net.link.ether.ipfw=0/1)
> > pkts hit the rule only once and I get the b/w as specified in the IPFW pipe
> > syntax. However when I enable ipfw in ether all the pkts hits the matching
> > rule twice. and as a result I get half of the b/w to what has been specified
> > in ipfw pipe.
> > This is normal (as mentiontioned in ipfw man page) since pkt traversal is
> > doubled when IPFW is enabed in ether.
> Would the following sysctl variable help your problem?
> From the ipfw manpage:
> net.inet.ip.fw.one_pass: 1
> When set, the packet exiting from the dummynet(4) pipe is not passed
> though the firewall again. Otherwise, after a pipe action, the packet
> is reinjected into the firewall at the next rule.
No this only works for pipes and queues. Not for allow / deny.
There only solution I know of is to plave denies before the allows.
Articles based on solutions that I use:
More information about the freebsd-questions