Ipfw accept rule

Alex de Kruijff freebsd at akruijff.dds.nl
Thu Sep 23 18:45:26 PDT 2004

On Thu, Sep 23, 2004 at 09:10:49AM -0600, Nathan Kinkade wrote:
> On Thu, Sep 23, 2004 at 01:36:57PM +0545, Bikrant Neupane wrote:
> > Thanks for the reply.
> > Well I am not looking for the count rule.
> > 
> > Actually I have some other situation. I am trying to implement b/w shaping 
> > using ipfw. And i am trying to include mac address based filtering in it as 
> > well. As long as I don't implement ipfw in ether (net.link.ether.ipfw=0/1) 
> > pkts hit the rule only once and I get the b/w as specified in the IPFW pipe 
> > syntax. However when I enable ipfw in ether all the pkts hits the matching 
> > rule twice. and as a result I get half of the b/w to what has been specified 
> > in ipfw pipe.
> > This is normal (as mentiontioned in ipfw man page) since pkt traversal is  
> > doubled when IPFW is enabed in ether. 
> > 
> <snip>
> Would the following sysctl variable help your problem?
> From the ipfw manpage:
> net.inet.ip.fw.one_pass: 1
> 	When set, the packet exiting from the dummynet(4) pipe is not passed
> 	though the firewall again.  Otherwise, after a pipe action, the packet
> 	is reinjected into the firewall at the next rule.

No this only works for pipes and queues. Not for allow / deny. 
There only solution I know of is to plave denies before the allows.


Articles based on solutions that I use:

More information about the freebsd-questions mailing list