ipfw - accessing DMZ from LAN , pipes

[Marek Salwerowicz]

W dniu 2011-11-28 23:49, Freddie Cash pisze:
> This is something I've never really received a satisfactory answer to. I
> believe you have to put your pipe/queue rules in place of your final allow
> rules. IOW, the pipe/queue rules are the final rule that a packet touches
> in the ruleset.
>
> For example, for outgoing HTTP traffic, you would allow the packet coming
> in on the internal interface. Then you NAT the packet as it goes out the
> external interface. And, finally, you send the NAT'd packet to the
> pipe/queue, instead of allowing the NAT'd packet out the external interface.
Yes! You're right ;) Thanks for suggesting me that

I've made like this:

$cmd add 4006 pipe 1 ip from $DMZHOST1PUB to any out xmit $PUBLICIF
#$cmd add 4010 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF 
#commented - used pipe above

$cmd add 4016 pipe 2 ip from any to $DMZHOST1 in recv $PUBLICIF
#$cmd add 4020 allow ip from any to $DMZHOST1 in recv $PUBLICIF 
#commented - used pipe above

And it worked ;)

And at the beginnig of Firewall I put the configs:
#pipe for DMZ hosts - pipe 1 upload limit
$cmd pipe 1 config bw 200Kbit/s

#pipe for DMZ hosts = pipe 2 download limit
$cmd pipe 2 config bw 1536Kbit/s




>
> All of the examples in the man page,  handbook, and online show the 'add
> pipe' rules first, then the 'pipe config' rules. But that seems backward to
> me. So I always do my 'pipe config' rules first. Afterlife, how do you send
> a packet to a pipe that doesn't exist yet? :)
>
;) it makes sense to config at first and then attach traffic to pipe - 
for me it works

regards,
-- 
Marek Salwerowicz