I have found the error of my ways...
For the purposes of the archives, I'm posting what actually made this
work. It is a very simple fix and I don't quite know how I missed trying
this out during my frustrations.
Before the "ipfw fwd..." line you need one or more "ipfw skipto..."
lines to en
cool..
Now that you've done it by hand, could you write a script to automate
the tree creation?
(than we could commit it.. )
Actually Can you show me a sample?
It seems to me that you should be able to get the number of filters
processed on average to be much less than 100.
On Thu, 20 Sep 20
Our network layout is such that our ipfw box is purely a pass-thru between
our router and our network providers router:
[our router] <--> [freebsd box running ipfw] <--> [network provider]
/ \
On Wed, 19 Sep 2001, Bill Fumerola wrote:
> On Wed, Sep 19, 2001 at 07:39:13PM +0200, Leif Neland wrote:
>
> > Or you could patch ipfw to be able to use a hash-db :-)
>
> skipto caches the pointer of the rule its skipping to the first time
> it uses that rule. not going to get a better hash hit
Luigi Rizzo wrote:
>
> > On Wed, Sep 19, 2001 at 07:39:13PM +0200, Leif Neland wrote:
> >
> > > Or you could patch ipfw to be able to use a hash-db :-)
> >
> > skipto caches the pointer of the rule its skipping to the first time
> > it uses that rule. not going to get a better hash hit then that.
> On Wed, Sep 19, 2001 at 07:39:13PM +0200, Leif Neland wrote:
>
> > Or you could patch ipfw to be able to use a hash-db :-)
>
> skipto caches the pointer of the rule its skipping to the first time
> it uses that rule. not going to get a better hash hit then that...
not enough. The original mes
On Wed, Sep 19, 2001 at 07:39:13PM +0200, Leif Neland wrote:
> Or you could patch ipfw to be able to use a hash-db :-)
skipto caches the pointer of the rule its skipping to the first time
it uses that rule. not going to get a better hash hit then that...
--
- bill fumerola / [EMAIL PROTECTED]
> > Third, take into account that since ipfw takes 'first matching rule
> > wins' approach, you will get performance boost by moving more
> > frequently used and more general rules "up" in the ruleset. For
> > example, if you move the rule from position 700 to 200 packet will be
> > matched only
On Wed, 19 Sep 2001, Krzysztof Zaraska wrote:
> First, is there any specific reason for allowing only specific 900 subnets
> instead of the whole 'cost nothing' network? How big is this network? How
> would this increase the risk?
CA*Net3 vs "commercial net" traffic ...
> Second, with that numb
On Wed, Sep 19, 2001 at 12:05:34AM -0400, Anthony Schneider wrote:
> it might have something to do with the prereleasenature of the machine.
> -Anthony.
No it has nothing to do with -PRERELEASE. ipfw by any other name is ipfw.
> On Tue, Sep 18, 2001 at 11:14:50PM -0400, Marc G. Fournier wrote:
On Tue, 18 Sep 2001, Marc G. Fournier wrote:
>
> I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE,
> with ipfw and dummynet to do bandwidth shaping as well as firewalling ...
>
> The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ...
>
> I've got an /etc/fw.ru
"Marc G. Fournier" wrote:
>
> I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE,
> with ipfw and dummynet to do bandwidth shaping as well as firewalling ...
>
> The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ...
>
> I've got an /etc/fw.rules file that has ~1
it might have something to do with the prereleasenature of the machine.
-Anthony.
On Tue, Sep 18, 2001 at 11:14:50PM -0400, Marc G. Fournier wrote:
>
> I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE,
> with ipfw and dummynet to do bandwidth shaping as well as firewalling
I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE,
with ipfw and dummynet to do bandwidth shaping as well as firewalling ...
The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ...
I've got an /etc/fw.rules file that has ~1200 rules in it so far, and
still have m
14 matches
Mail list logo
