Hello, Michael. You wrote 29 августа 2012 г., 19:01:08:
>> I have interface (vr1), most of traffic on which is PPPoE. I have ipfw >> firewall, which splits traffic by interfaces via: >> >> add 2000 skipto 5000 all from any to any via em0 >> add 2010 skipto 7000 all from any to any via wlan0 >> add 2020 skipto 11000 all from any to any via vr1 >> add 2030 skipto 13000 all from any to any via ng0 >> add 2040 skipto 15000 ipv6 from any to any via gif0 >> add 2999 deny all from any to any >> ... >> And later here are some basic checks, nat, "check-state" and some >> stateful rules. MS> Consider separating traffic not only by interface but also direction It is done in rules 1000 and 1010, 2xxx is for incoming, 3xxx for outgoing. It is only a sample/ MS> ip from any to any in recv vr0 MS> and outgoing MS> ip from any to any out xmit vr0 Yep, I'll collapse my two-rule chains in one rule. >> Does PPPoE packets match rule 2020, and other rules like "nat 1 ip >> from any to any"? MS> Yes, and it seems that that is not what you want. The packets will be MS> seen first by the firewall, then passed to whatever is handling PPPoE But there is no rule for it, and default policy is "deny"... But it works. MS> on the local box, then re-injected into the IP stack, etc. for MS> processing by firewall rules again. MS> Is there a pppX pseudo-interface? ng0, as I'm using mpd5, not system ppp. -- // Black Lion AKA Lev Serebryakov <l...@freebsd.org> _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
