Re: Dummynet+Firewall+One_pass question

2004-04-23 Thread Alex de Kruijff 
On Thu, Apr 22, 2004 at 04:25:53PM -0300, Marcelo Pinheiro wrote:
 Hi,
 
 I am very new to FreeBSD, and I have a quite simple question: How does IPFW
 work when I use PIPES, divert and some other Firewall rules?
 What does net.inet.ip.fw.one_pass mean? For instance, if I use a pipe before
 a divert with one_pass set to 1, the packet passes through the pipe, but
 does not pass through the divert and that makes total sense. However if I
 set one_pass to 1 and set the pipe after the divert using the internal IP
 address ( RFC 1918 ) it works that does not make any sense, at least to
 me. :)

man ipfw gives me:
 pipe pipe_nr
 Pass packet to a dummynet(4) ``pipe'' (for bandwidth
limitation, delay, etc.).  See the TRAFFIC SHAPER (DUMMYNET)
CONFIGURATION Section for further information.  The search terminates;
however, on exit from the pipe and if the sysctl(8) variable
net.inet.ip.fw.one_pass is not set, the packet is passed again to the
firewall code starting from the next rule.

 Here are some sample rules:
 
 # INTERNAL NETWORK
 ${fwcmd} pipe 1000 config bw 1024Kbit/s
 ${fwcmd} pipe 1001 config bw 1024Kbit/s
 
 ${fwcmd} add divert natd all from 10.0.0.0/8 to any
 ${fwcmd} add divert natd all from any to 200.x.x.x
 
 ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
 ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8
 
 If I set the way above, it works fine, even if the one_pass is set to 1 (
 one ). The divert changes the packet header to my external IP, and my real
 question is: How in the world the pipe works if the header is changed to
 200, instead of 10?
 
 THIS WAY IT DOES NOT WORK WITH ONE_PASS SET TO 1, it passes through the
 pipe, but does not pass through the divert:
 
 # INTERNAL NETWORK
 ${fwcmd} pipe 1000 config bw 1024Kbit/s
 ${fwcmd} pipe 1001 config bw 1024Kbit/s
 
 ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
 ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8
 
 ${fwcmd} add divert natd all from 10.0.0.0/8 to any
 ${fwcmd} add divert natd all from any to 200.x.x.x
 
 I deeply appreciate any ideas.

Thats because the packes that meet the pipe rules are also allowed and
thus never meet the divert rule.

-- 
Alex

Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Dummynet+Firewall+One_pass question

2004-04-22 Thread Marcelo Pinheiro 
Hi,

I am very new to FreeBSD, and I have a quite simple question: How does IPFW
work when I use PIPES, divert and some other Firewall rules?
What does net.inet.ip.fw.one_pass mean? For instance, if I use a pipe before
a divert with one_pass set to 1, the packet passes through the pipe, but
does not pass through the divert and that makes total sense. However if I
set one_pass to 1 and set the pipe after the divert using the internal IP
address ( RFC 1918 ) it works that does not make any sense, at least to
me. :)
Here are some sample rules:

# INTERNAL NETWORK
${fwcmd} pipe 1000 config bw 1024Kbit/s
${fwcmd} pipe 1001 config bw 1024Kbit/s

${fwcmd} add divert natd all from 10.0.0.0/8 to any
${fwcmd} add divert natd all from any to 200.x.x.x

${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8

If I set the way above, it works fine, even if the one_pass is set to 1 (
one ). The divert changes the packet header to my external IP, and my real
question is: How in the world the pipe works if the header is changed to
200, instead of 10?

THIS WAY IT DOES NOT WORK WITH ONE_PASS SET TO 1, it passes through the
pipe, but does not pass through the divert:

# INTERNAL NETWORK
${fwcmd} pipe 1000 config bw 1024Kbit/s
${fwcmd} pipe 1001 config bw 1024Kbit/s

${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any
${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8

${fwcmd} add divert natd all from 10.0.0.0/8 to any
${fwcmd} add divert natd all from any to 200.x.x.x

I deeply appreciate any ideas.

Sincerely,

Marcelo Pinheiro

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.664 / Virus Database: 427 - Release Date: 21/4/2004

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]