Lubomir Georgiev escreveu:
OK, so let's get started. Here's my ruleset -
00300 131732 19262748 skipto 1200 ip from any to any { MAC any
00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2
Good. I have never used it this way and I am not sure if it will work.
First, try to use two rules, one per flow.
ipfw add 300 skipto 1200 ip from any to any MAC 00:19:d2:36:b8:48 any layer2
ipfw add 301 skipto 1200 ip from any to any MAC any 00:19:d2:36:b8:48 layer2
Later, you try to put both flows all in a single rule. I am not sure if
both flows aren't checked together and the rule will match once, since
layer2 MAC filter happens as it happens on the wire.
00500 4723 1941536 skipto 1400 ip from any to any layer2
01203 68479 8449298 divert 8668 ip from 192.168.1.0/24 to any out via
fxp0
01205 71215 16745674 divert 8668 ip from any to me in via fxp0
*01250 410160 534966441 queue 1 ip from any to any src-port 80 via fxp0
*01251 143290 14139299 queue 1 ip from any to any dst-port 80 via fxp0
*01300 2711668 1462734503 queue 2 ip from any to any not src-port 80 via
fxp0
01400 12581325 6691776490 allow ip from any to any
Seems almost ok here; please, add "not layer2" to dummynet rules, if not
you will have your bw controlled twice.
I've marked the dummynet rules with an asterisk. I'm using Patrick's
ruleset
- since I'm only allowing internet access for a single machine I've
combined
his first two rules into one. My internal network is 192.168.1.0/24 and my
external iface is fxp0. What I'm experiencing right now as I'm using this
set is this - I have internet on this machine I desired /OK/ and on all
others with ip 192.168.1.X /not OK, obviously :)/ regardless of MAC. For
me,
the rules that concern layer2 don't do what they're supposed to and thusly
the traffic reaches rule 1203 and 1205 and onward. Interestingly enough
traffic does hit the first and second rule. Here's my uname -
FreeBSD bogoqho.com 6.1-RELEASE FreeBSD 6.1-RELEASE #1: Sun Apr 8 10:54:10
EEST
2007 [EMAIL PROTECTED]:/usr/src/sys/i386/compile/bogoqho i386
And my sysctl -
bogoqho# sysctl -a | egrep "one_pass\|ether"
If there's anything that would help you - just say the word... Let's
brainstorm :)
sysctl -a | egrep "one_pass|ether"; my fault, \| is only need for grep,
not egrep.
Just to be sure net.link.ether.ipfw=1 and net.inet.ip.fw.one_pass=1.
--
Patrick Tracanelli
FreeBSD Brasil LTDA.
(31) 3281-9633 / 3281-3547
[EMAIL PROTECTED]
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
