ipfw: count=pass?
Hello! I've tried to block users from surfing the web, once they have moved a certain amount of traffic per week. I put a series of "count" rules in ipfw and let cron call a script every 5 minutes to read the associeted byte counter and possibly insert "deny" rules *after* the count rules. The problem is that the traffic still goes through: the counters of the deny rules are all 0, as though they were never reached. ipfw's manual page states that after a count the packet goes ahead in the rule chain as if nothing has happened, but at this points I'm beginning to wonder wether this is true or wether the count rules also allow traffic through as if they were "pass". This on FreeBSD 4.7-p3. bye & Thanks av. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: ipfw: count=pass?
Andrea Venturoli wrote: ipfw's manual page states that after a count the packet goes ahead in the rule chain as if nothing has happened, but at this points I'm beginning to wonder wether this is true or wether the count rules also allow traffic through as if they were "pass". No, count works as advertised -- the matching packets are counted and rule processing resumes with next rule with a higher rule number. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Divert Socket Send Functionality
Hi there I want to know if i change the dst ip addr. of a packet the socket sent sys call won't change it, will it ? in other words will the divert socket type change the ip address itself ? THANX _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: Divert Socket Send Functionality
soheil soheil wrote: Hi there I want to know if i change the dst ip addr. of a packet the socket sent sys call won't change it, will it ? in other words will the divert socket type change the ip address itself ? Huh? The process at the other end of the divert socket may rewrite any part of it. natd may change the dst address and recalculate the checksum. For ICMP error packets, it even rewrites the address of the included offending packet. You'd better correct the checksum if you mess with any part of the header (or contents, in the case of tcp). See /usr/src/sbin/natd for code examples. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
