Re: IPFW fwd issue.

Dan Johnson wrote: After beating my head against this for days I ran out of places to look for information, and almost sent this as a help request instead of an observation. So excuse the present tense. All I am actually trying to accomplish is a simple (This worked flawless last i tried under

Re: anyone have a netgraph node to do ipfw filtering?

Eugene Grosbein wrote: On Thu, Sep 11, 2008 at 11:12:29PM -0700, Julian Elischer wrote: that one allows ipfw to send things to netgraph. I want one to allow a netgraph graph to filter things with ipfw... ng_bpf? not exactly ipfw filtering, but filtering :-) No it needs to be ifpw for the

Re: anyone have a netgraph node to do ipfw filtering?

Bjoern A. Zeeb wrote: On Thu, 11 Sep 2008, Julian Elischer wrote: Hi, I think someone sent me a link to an ng_ipfw_filter node once but I've lost it... (I think it was called ng_ipfw but that name is now taken by the netgraph/ipfw 'ipfw netgraph' packet divert option). Some

anyone have a netgraph node to do ipfw filtering?

aph. As I said,I've seen one but lost it... Julian ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw add skipto tablearg....

Luigi Rizzo wrote: On Wed, Aug 20, 2008 at 04:06:05AM +1000, Ian Smith wrote: On Tue, 19 Aug 2008, Luigi Rizzo wrote: > On Tue, Aug 19, 2008 at 11:12:04PM +1000, Ian Smith wrote: ... > > Until $someone adds a direct skipto target jump at the virtual machine > > code level - big recalc hit w

Re: ipfw add skipto tablearg....

Luigi Rizzo wrote: On Wed, Aug 20, 2008 at 04:06:05AM +1000, Ian Smith wrote: On Tue, 19 Aug 2008, Luigi Rizzo wrote: > On Tue, Aug 19, 2008 at 11:12:04PM +1000, Ian Smith wrote: ... > > Until $someone adds a direct skipto target jump at the virtual machine > > code level - big recalc hit w

Re: IPv6 tables?

es seem to handle handle both versions (without looking at the code, just the manpage). I'm now wondering which approach would be less resource-hungry: Adding a separate "table6" structure or modifying tables to accept v6. The former, to my mind, is more economical with large table

Re: IPv6 tables?

Matt Dawson wrote: Just a quick question: What would it take to have similar functionality to the IPv4 tables in ipfw for v6? Is there a specific reason it isn't there (other than the fact that I haven't got my finger out and learnt the neccessary to add it myself ;) )? there is no reason exc

ipfw add skipto tablearg....

looking int he code I noticed that the following command gave no error but didn't work.. ipfw add 1000 skipto tablearg ip from any to table(31) and as I have a use for that, I implemented it.. see attached patch... (hopefully not stripped) Of course it is hoped that the rules you are skipping

Re: IPFW+Dummynet Capability

Kazi A. Sharif wrote: Hello Guys, I was planning to install a heavy duty bandwidth manager for my ISP. I went through some documentation and installed IPFW and Dummynet in FreeBSD 7.0. Before I spent so much time on this I need to know the limitations that are already noticed: 1. If we compare

Re: About IPFW for IPv6

Fabian Wenk wrote: Hello Edwin On 14.06.08 04:27, Edwin Sanjoto wrote: Do you know how to set firewall for IPv6 using IPFW? Just use ipfw the same like for IPv4, then since FreeBSD 6.x it does also support IPv6. If you still have an older version of FreeBSD, use ip6fw. there are some fe

Re: ipfw route to multigateways

Rosli Sukri wrote: hi scenario: users>[lan]freebsdipfw[wan]->{gw1,gw2} where gw1 goes to isp1, and gw2 goes to isp2. easily done but how do you ensure the return packets come back the same way? requirements: ftp, http, https traffic goes to gw1 telnet, ssh, mail and pop goes to g

Re: ipfw and smtp port rewriting

Oleksandr Samoylyk wrote: Hello freebsd-ipfw, I'd like to make smtp port rewriting for any destination by means of ipfw. With iptables I just used this rule in order to achieve this functionality: iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 2525 -j DNAT --to-destination :25 Reading

Re: kern/123174: [ipfw] table add value lists as ip/uint16 instead of uint32.

Synopsis: [ipfw] table add value lists as ip/uint16 instead of uint32. State-Changed-From-To: open->closed State-Changed-By: julian State-Changed-When: Mon Apr 28 12:15:05 PDT 2008 State-Changed-Why: fixed in all affected branches post release. dupplicate of another bug (also closed) (I for

Re: addition to ipfw table..

Andrey V. Elsukov wrote: Julian Elischer wrote: I do know it won't handle non contiguous masks well but as the ipfw ABI code only accepts a network mask length instead of a mask, there's not much that can be done. I may suggest a later fix for that but it will break the ABI. commen

addition to ipfw table..

this change allows one to type ipfw table 2 add 1.1.1.1:255.255.255.0 0 in addition to the currently acceptable 1.1.1.1/24 0 The reason is that some programs supply the netmask in that (mask) form and a shell script trying to add it to a table has a hard time converting it to the currently accep

Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list

The following reply was made to PR bin/120720; it has been noted by GNATS. From: Julian Elischer <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list Date: Fri, 04 Apr 2008 11:12:39 -0700 The change ha

Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate

Vadim Goncharov wrote: Hi Julian Elischer! On Mon, 24 Mar 2008 10:53:44 -0700; Julian Elischer wrote about 'Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate': here are some of my ideas for ipfw changes: 1/ redo locking so that packets do not have to get locks on the stru

Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate

here are some of my ideas for ipfw changes: 1/ redo locking so that packets do not have to get locks on the structure... I have several ideas on this 2/ allow separate firewalls to be used at different parts of the network stack (i.e allow multiple taboe sto co-exist) 3/ possibly keeping pe

Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION

Vadim Goncharov wrote: Hi Julian Elischer! On Tue, 18 Mar 2008 01:09:19 -0700; Julian Elischer wrote about 'Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION': About Vadim's prepositions: 1. tablearg: it's possible, but now we use u32 argument in table

Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION

Andrey V. Elsukov wrote: Paolo Pisati wrote: On Thu, Mar 13, 2008 at 09:21:11AM +, Vadim Goncharov wrote: http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 Yes, this is useful, but some minor changes are needed, I think. First, rename it to "bytelimit" or somewhat. Second, allow this to use

Re: [patch] ipfw_nat as a kld module

Vadim Goncharov wrote: Hi Paolo Pisati! On Thu, 28 Feb 2008 16:11:34 +0100; Paolo Pisati wrote about '[patch] ipfw_nat as a kld module': http://people.freebsd.org/~piso/ipfw_nat_module.patch Any objection if i commit it? Some comments: * //comments are not in out style(9) in case this i

Re: IPFW Established and Outside Traffic Problem

steve13th wrote: Given: Running FREEBSD What I want to do: I am attempting to disable the following things: Note H= host octet 1. disable pings 2. disable traffic originating from networks other than HHH.HH.HHH.0/24 3. allow traffic to originate from HHH.HH.HHH.11 and go back and forth with the

Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list

Eugene Grosbein wrote: On Mon, Feb 18, 2008 at 11:52:41AM -0800, [EMAIL PROTECTED] wrote: Synopsis: [patch] [ipfw] unbreak POLA for ipfw table list State-Changed-From-To: open->closed State-Changed-By: julian State-Changed-When: Mon Feb 18 11:27:58 PST 2008 State-Changed-Why: Patch commit

Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list

Synopsis: [patch] [ipfw] unbreak POLA for ipfw table list State-Changed-From-To: open->closed State-Changed-By: julian State-Changed-When: Mon Feb 18 11:27:58 PST 2008 State-Changed-Why: Patch committed to -current and scheduled for MFC. http://www.freebsd.org/cgi/query-pr.cgi?pr=120

Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list

The following reply was made to PR bin/120720; it has been noted by GNATS. From: Julian Elischer <[EMAIL PROTECTED]> To: Vadim Goncharov <[EMAIL PROTECTED]> Cc: Eugene Grosbein <[EMAIL PROTECTED]>, freebsd-ipfw@freebsd.org, [EMAIL PROTECTED] Subject: Re: bin/120720: [patch] [

Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list

Vadim Goncharov wrote: In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Hi Eugene Grosbein! On Fri, 15 Feb 2008 23:42:16 +0700 (KRAT); Eugene Grosbein <[EMAIL PROTECTED]> wrote: The command "ipfw table 1 list" used to format table values associated with network addresses

Re: Fwd: Fragmented Packet Reassembly and IPFW2

Curby wrote: Julian and Vadim, thank you both for your replies. Here's a really old quote: "The ip_input() routine in the kernel then dequeues the packet, performs sanity checks on the packet and determines the destination for the packet. If the destination is the local computer,

Re: Fragmented Packet Reassembly and IPFW2

Curby wrote: Hi, this is slightly off-topic as it relates to IPFW2 in Mac OS X (as of Tiger, 10.4.x). I've read that when a FreeBSD machine running IPFW2 receives a fragmented TCP packet (and let's say that the machine itself is the intended destination), the packet is reassembled before it gets

Re: IPFW Problem

Gardner Bell wrote: --- Julian Elischer <[EMAIL PROTECTED]> wrote: Gardner Bell wrote: I'm hoping some of you can help me out with the problem that I'm having as I'm not very good when it comes to networking.. I've recently configured 6.3-PRERELEASE with IP

Re: IPFW Problem

Gardner Bell wrote: I'm hoping some of you can help me out with the problem that I'm having as I'm not very good when it comes to networking.. I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my LAN's firewall/router. After I initially access certain http sites, particularly goo

Re: source based forwarding code

Srimanta BSD wrote: Hi, Can someone please send me the link to download Source Based Forwarding implementation in FreeBsd 6.2 or other version. we use the firewall(s) to do so.. Look in the ipfw man pages for the 'fwd' command for ipfw. For pf there is another command, the name of which I f

Re: kern/116009: [ipfw] [patch] Ignore errors when loading ruleset from file + rule replacement command

The following reply was made to PR kern/116009; it has been noted by GNATS. From: Julian Elischer <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: Re: kern/116009: [ipfw] [patch] Ignore errors when loading ruleset from file + rule replacement command Date: Tue,

Re: getting state to work properly

Vadim Goncharov wrote: 31.08.07 @ 00:41 Russell Fulton wrote: Rule set appended -- anonymizing the rule set while keeping the sense would be a lot of work and I don't want to trim it down for fear of dropping something vital. As this network is not exposed to the internet and the firewall's p

Re: redirect traffic based on destination port to another interface

each..) Thank you. Regards, Rudy On 8/3/07, Julian Elischer <[EMAIL PROTECTED]> wrote: Rudy Setiawan wrote: On 8/2/07, Julian Elischer <[EMAIL PROTECTED]> wrote: Rudy Setiawan wrote: Hi, I am trying to do a traffic redirection based on destination port to another interface/gate

Re: redirect traffic based on destination port to another interface

Rudy Setiawan wrote: On 8/2/07, Julian Elischer <[EMAIL PROTECTED]> wrote: Rudy Setiawan wrote: Hi, I am trying to do a traffic redirection based on destination port to another interface/gateway. Currently, I have a freebsd box that does simple NAT and an Internet connection. I am plann

Re: redirect traffic based on destination port to another interface

Rudy Setiawan wrote: Hi, I am trying to do a traffic redirection based on destination port to another interface/gateway. Currently, I have a freebsd box that does simple NAT and an Internet connection. I am planning to install another internet connection and use the same box to do some traffic r

Re: Policy - based Routing problem Need help

Narek Gharibyan wrote: Hi all, I have a firewall/router with FreeBSD 6.2 installed on it. 2 ISP connection and 2 LAN connections. I need to do a policy-based routing. All I need that packets coming from one ISP interface return to that interface (incoming connections' source based routing) and t

Re: Policy - based Routing problem Need help

Narek Gharibyan wrote: Hi all, I have a firewall/router with FreeBSD 6.2 installed on it. 2 ISP connection and 2 LAN connections. I need to do a policy-based routing. All I need that packets coming from one ISP interface return to that interface (incoming connections' source based routing) and t

Re: Policy Routing natd+ipfw

Julian Elischer wrote: actually the kernel code is in the 6 branch but the ipfw program has not been taught how to set the values yet.. I just committed the change to RELENG_6 so the head of the 6 branch should be able to do this now. julian Kirk

Re: a sysctl variable to query last ipfw rule number

A. Skrobov wrote: Such a variable is useful in scripts that add blocks of rules containing skipto actions; instead of hardcoding numbers for all the rules, they could be derived dynamically. I'm also looking at a version of skipto that uses RELATIVE numbering. (called just 'skip') i.e. ipfw a

Re: Policy Routing natd+ipfw

Kirk Davis wrote: Julian Elischer wrote: in -current you can implement a routing table via FWD and tables. in 6.x you need to specify the next hop. and an more explicit rule. Is there any information floating around on how to do this in current using the FWD rules and tables? Any pointer

Re: Policy Routing natd+ipfw

Kirk Davis wrote: Julian Elischer wrote: in -current you can implement a routing table via FWD and tables. in 6.x you need to specify the next hop. and an more explicit rule. Is there any information floating around on how to do this in current using the FWD rules and tables? Any pointer

Re: Policy Routing natd+ipfw

that did the divert, so you can treat it as if it was non terminating. this means that you need to do the NAT before you do the FWD. julian ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubs

Re: kern/107305: [ipfw] ipfw fwd doesn't seem to work

Andrey V. Elsukov wrote: The following reply was made to PR kern/107305; it has been noted by GNATS. This was fixed in 6.[later] (6.2 at least, maybe 6.1) (The need for the EXTENDED option) -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.

Re: ipfw with nat - allowing by MAC address

Lubomir Georgiev wrote: Yeah! People, we can congratulate ourselves! We've done it! With a few modifications I've finally found the smallest working MAC filtered NAT system. So here's what I ended up with - I'm including the queues just for the entirety of the ruleset, they have nothing to do wi

Re: ipfw with nat - allowing by MAC address

I'm surprised you haven't tried the firewall set I sent you.. I practically wrote the whole thing for you. ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED

Re: ipfw with nat - allowing by MAC address

[EMAIL PROTECTED] wrote: Ok, I got home (when I have some time) and tried exactly your rule set. The main deal why it worked on my example and not your approach is: - once packets get dropped (denied) on layer2, it will never reach upper layers Thus, NO OTHER action besides deny will avoid the

Re: ipfw with nat - allowing by MAC address

Julian Elischer wrote: Lubomir Georgiev wrote: OK, so let's get started. Here's my ruleset - 00300 131732 19262748 skipto 1200 ip from any to any { MAC any 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2 for a packet from a client through this machine to the intern

Re: ipfw with nat - allowing by MAC address

Lubomir Georgiev wrote: OK, so let's get started. Here's my ruleset - 00300 131732 19262748 skipto 1200 ip from any to any { MAC any 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2 for a packet from a client through this machine to the internet: on the first pass (packet in etherne

Re: ipfw with nat - allowing by MAC address

ok so I just emailed how I would do this.. Did you not receive it? Lubomir Georgiev wrote: OK people - here's the deal. I have tried the setup as described by *Patrick Tracanelli at *click but the shitty thing still does

Re: ipfw with nat - allowing by MAC address

Patrick Tracanelli wrote: the trick is to remmeber that "check-state" just re-runs the rule that had the orginal keep-state, and that that rule can be almost anything, including a skipto. What if it is a FWD? true too.. though fwd will do nothing in Layer2 use skipto to simulate what you

Re: ipfw with nat - allowing by MAC address

single box was possible because I had seen it with my own two eyes. I just didn't take the time to see the ruleset then. I was going there in a couple of days and was going to shed some light on the subject but it turns out I don't need to - Patrick and Julian have backed me up. I

Re: ipfw with nat - allowing by MAC address

AT Matik wrote: On Sunday 22 April 2007 06:13, Lubomir Georgiev wrote: As a side note - I had found "sysctl net.link.ether.ipfw=1" and it was enabled during my endless futile attempts. I believe that my problem lies in my rules but I can't figure out what's wrong with them So someone please

Re: ipfw changes being contemplated..

Luigi Rizzo wrote: On Wed, Apr 18, 2007 at 02:52:43PM -0700, Julian Elischer wrote: Chuck Swiger wrote: On Apr 18, 2007, at 1:58 PM, Julian Elischer wrote: I'm contemplating the following changes to functionality: I'd like suggestions and comments... 1/ Commit capability In this

Re: ipfw changes being contemplated..

Max Laier wrote: On Wednesday 18 April 2007 22:58, Julian Elischer wrote: I'm contemplating the following changes to functionality: I'd like suggestions and comments... 1/ Commit capability Isn't this already there with "set"s ? kind of, but I expressed it b

Re: ipfw changes being contemplated..

AT Matik wrote: On Wednesday 18 April 2007 18:08, Julian Elischer wrote: Also One possibility of 6 would be to make a family of firewalls rather than one, that work together, Hi probably I do not understand what you are trying to achieve ... basicly I am missing a reason for this "m

Re: ipfw changes being contemplated..

Chuck Swiger wrote: On Apr 18, 2007, at 1:58 PM, Julian Elischer wrote: I'm contemplating the following changes to functionality: I'd like suggestions and comments... 1/ Commit capability In this change you declare a new firewall, and modify/build it, and then you 'commit&#

Re: ipfw changes being contemplated..

Julian Elischer wrote: I'm contemplating the following changes to functionality: I'd like suggestions and comments... 1/ Commit capability In this change you declare a new firewall, and modify/build it, and then you 'commit' it so that the whole change is atomic. I h

ipfw changes being contemplated..

I'm contemplating the following changes to functionality: I'd like suggestions and comments... 1/ Commit capability In this change you declare a new firewall, and modify/build it, and then you 'commit' it so that the whole change is atomic. I have a current bug at work where automatic changes

Re: kern/111121: [ipfw] After the latest changes ipfw2 complains: "ipfw: opcode 50 size 2 wrong"

Synopsis: [ipfw] After the latest changes ipfw2 complains: "ipfw: opcode 50 size 2 wrong" State-Changed-From-To: open->closed State-Changed-By: julian State-Changed-When: Wed Apr 4 17:11:48 PDT 2007 State-Changed-Why: MFC reverted. http://www.freebsd.org/cgi/query-pr.

Re: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c

this time, with the patch :-) Max Laier wrote: On Tuesday 03 April 2007 10:16, Julian Elischer wrote: julian 2007-04-03 08:16:05 UTC FreeBSD src repository Modified files:(Branch: RELENG_6) sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c Log: Revert

Re: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c

Max Laier wrote: On Tuesday 03 April 2007 10:16, Julian Elischer wrote: julian 2007-04-03 08:16:05 UTC FreeBSD src repository Modified files:(Branch: RELENG_6) sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c Log: Revert one of the MFCs from Friday as it

Re: bad test in /etc/rc.d/ip6fw

Sean McNeil wrote: Hi Henrique, For Firewall in IPV6 enable in kernel options IPV6FIREWALL # Enable ipfirewall(4) for ipv6 options IPV6FIREWALL_VERBOSE # Enable log's in syslogd(4) options IPV6FIREWALL_VERBOSE_LIMIT=100 # Set limite in syslogd in 100 registers options IPV6FIREWALL_DEFAULT_TO

Re: bad test in /etc/rc.d/ip6fw

Sean McNeil wrote: Hi Henrique, For Firewall in IPV6 enable in kernel options IPV6FIREWALL # Enable ipfirewall(4) for ipv6 options IPV6FIREWALL_VERBOSE # Enable log's in syslogd(4) options IPV6FIREWALL_VERBOSE_LIMIT=100 # Set limite in syslogd in 100 registers options IPV6FIREWALL_DEFAULT_TO

Re: IPFW update frequency

Luigi Rizzo wrote: On Sat, Mar 31, 2007 at 10:21:02AM +0200, Andre Oppermann wrote: Julian Elischer wrote: Luigi Rizzo wrote: On Fri, Mar 30, 2007 at 01:40:46PM -0700, Julian Elischer wrote: I have been looking at the IPFW code recently, especially with respect to locking. There are some

Re: IPFW update frequency

Thanks for the information.. The main thrust for me is to make it not hold any locks during processing. performance is 2nd Andre Oppermann wrote: Julian Elischer wrote: Luigi Rizzo wrote: On Fri, Mar 30, 2007 at 01:40:46PM -0700, Julian Elischer wrote: I have been looking at the IPFW code

Re: IPFW update frequency

AT Matik wrote: On Friday 30 March 2007 17:40, Julian Elischer wrote: I have been looking at the IPFW code recently, especially with respect to locking. There are some things that could be done to improve IPFW's behaviour when processing packets, but some of these take a toll (there is alw

Re: IPFW update frequency

Freddie Cash wrote: On Friday 30 March 2007 01:40 pm, Julian Elischer wrote: I have been looking at the IPFW code recently, especially with respect to locking. There are some things that could be done to improve IPFW's behaviour when processing packets, but some of these take a toll (the

Re: IPFW update frequency

Luigi Rizzo wrote: On Fri, Mar 30, 2007 at 01:40:46PM -0700, Julian Elischer wrote: I have been looking at the IPFW code recently, especially with respect to locking. There are some things that could be done to improve IPFW's behaviour when processing packets, but some of these take a

Re: IPFW update frequency

Kevin Day wrote: On Mar 30, 2007, at 3:40 PM, Julian Elischer wrote: I have been looking at the IPFW code recently, especially with respect to locking. There are some things that could be done to improve IPFW's behaviour when processing packets, but some of these take a toll (the

IPFW update frequency

s rule changing to be a really efficient operation? (does it matter to you if it takes a few milliSecs to add a rule?) Julian ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw tracing

Andrey V. Elsukov wrote: Hi, All! I've make a small patch that add a rule action tracing feature to ipfw2. http://butcher.heavennet.ru/patches/kernel/ipfw_trace/ This patch can be usefull when you have too many ipfw-rules. When some packets not pass ipfw - It is not easy to determine rule whic

Re: [patch] ipfw packet tagging

Vadim Goncharov wrote: 12.05.06 22:56 Luigi Rizzo wrote: A question about features: is it worth adding functionality of matching range of tags? For example: ipfw add pass ip from any to any tagged 1-5,10,20 i think it is a useful feature, and if you reuse the existing code for matching por

Re: FreeBSD 6.0 - ipfw fwd with bridge mode

Özkan KIRIK wrote: Hi, i am trying to forward packets via ipfw in bridge mode. is there any patch for 6.0-Release? thanks for your interests, ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe

Re: Traffic quota features in IPFW

Luigi Rizzo wrote: On Mon, Jul 18, 2005 at 06:34:56AM +, Walery Kokarev wrote: And why can't one use divert(4) interface? It looks quite suitable for that particular task. no _that_ would really be a performance killer! ___ freebsd-net@freebsd

<    1   2   3