Remember that rules checked twice if not defined "in" or "out". Look at net.inet.ip.fw.one_pass sysctl
> Hi all, > can anyone explane why this rules doesn't work: > > rl0 EXTINF > rl1 INTINF > > add 1000 divert 8668 ip from any to any via rl0 > add 1200 allow ip from any to any via lo0 > add 1300 deny ip from any to 127.0.0.1/8 > add 1400 deny ip from 127.0.0.1/8 to any > add 1500 check-state > add 1550 allow icmp from any to any keep-state > add 1600 allow log udp from any to any 53 keep-state > add 1700 queue 1 log tcp from 192.168.1.0/24 to any 20,21,22,23 keep-state > add 1800 queue 1 log tcp from any 20,21,22,23 to 192.168.1.0/24 keep-state > #add 1900 allow log udp from any 137 to any keep-state > add 2000 allow log tcp from 192.168.1.0/24 to any 80 keep-state > add 2100 deny log ip from any to any > queue 1 config weight 10 pipe 1 mask src-ip 0xffffff00 > queue 1 config weight 10 pipe 1 mask dst-ip 0xffffff00 > pipe 1 config bw 128kbit/s > > and when i change "192.168.1.0/24" to "any" it works but the trafic shaping is not > as it should be. I now this has something to do with natd and rule 1000 > but that's the thing that confuses me,how can i limit or allow trafix to the local > net (192.168.1.0/24) > any help would be appreciated > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
