I've been looking into using Dummynet for outgoing traffic, and I've found it hard going because the tutorials and how-to's deal with it in isolation, without indicating how it would be used in a real firewall. They generally suggest setting net.inet.ip.fw.one_pass=1, which as I understand it, implies that any packet passed into dummynet is passed statically though the firewall.
I want to keep my existing dynamic rules, and it seems that one way would be to keep net.inet.ip.fw.one_pass=0 and follow each dummynet rule with a skipto rule that uses an identical test. So when the packet emerges from dummynet it skips the other pipe and queue rules, and hits the check-state. Something like this: -------------------------------------------------------------------------------------- ... #prioritize small ack packets 0500 queue 1 tcp from any to any out via vr0 tcpflags ack iplen 0-80 0501 skipto 1000 tcp from any to any out via vr0 tcpflags ack iplen 0-80 #prioritize ntp 0600 queue 1 tcp from any to any out ntp via vr0 0601 skipto 1000 tcp from any to any out ntp via vr0 <other queuing rules> 1000 check-state 1010 deny tcp from any to any in established 1020 allow tcp from any to any out setup keep-state 1030 allow udp from any to any ntp out keep-state <other statefull rules> -------------------------------------------------------------------------------------- Will this work? And is it the best way to handle this problem? It seems a bit clumsy. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
