On Jun 27, 2008, at 3:01 PM, Freddie Cash wrote:
[ ... ]
If net.inet.ip.fw.one_pass is true, then you definitely want to
apply your
deny rules first, as once something matches a pipe rule, it's going
to be
passed. The tradeoff is that the accounting/fairness of traffic is
less
accurate but the firewall ruleset runs faster...
So, in this situation, the "allow" rules would be the queue rules?
To add traffic shaping to the following, using one_pass=1:
100 allow ip from 1.1.1.1 to 2.2.2.2 in recv em0
200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1
300 deny ip from any to 2.2.2.2 in recv em0
Would be:
100 queue 1 ip from 1.1.1.1 to 2.2.2.2 in recv em0
200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1
300 deny ip from any to 2.2.2.2 in recv em0
Or am I way off here? :)
Hmm. If you have one_pass set, I believe that rule 200 would become
superfluous. If it was off, rule 200 would be needed to permit
traffic through. However, queue rulesets are used to classify traffic
into different bins; then then get pulled out of the bins with packets
waiting is proportion to the weights configured via something like:
ipfw queue 1 config pipe 1 weight 10
ie, you have to attach queue(s) to a pipe for this classification or
sorting to be meaningful.
--
-Chuck
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
