From owner-freebsd-ipfw  Thu Jul 25  3:53:51 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DD44337B400
	for <ipfw@freebsd.org>; Thu, 25 Jul 2002 03:53:48 -0700 (PDT)
Received: from arrakis.tiscali.no (arrakis.tiscali.no [213.142.66.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 405F143E6A
	for <ipfw@freebsd.org>; Thu, 25 Jul 2002 03:53:48 -0700 (PDT)
	(envelope-from needle+ipfw@verloid.net)
Received: from dustpuppy.world-online.no (dustpuppy.world-online.no [213.142.66.194])
	by arrakis.tiscali.no (Postfix) with SMTP id 8CFAE1FAF
	for <ipfw@freebsd.org>; Thu, 25 Jul 2002 12:53:46 +0200 (CEST)
Received: by dustpuppy.world-online.no (sSMTP sendmail emulation); Thu, 25 Jul 2002 12:53:46 +0200
Date: Thu, 25 Jul 2002 12:53:46 +0200
From: "Jo B. Grasmo" <needle+ipfw@verloid.net>
To: ipfw@freebsd.org
Subject: IPFW2
Message-ID: <20020725125346.A8987@dustpuppy.world-online.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
X-Operating-System: SunOS 5.7
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

Hello,

I upgraded to the latest -stable yesterday to check out ipfw2, and it
loaded my ruleset perfectly, so 2 thumbs up so far.

Given the extremely simple (and useless, I know) ruleset:

# ipfw -at list
01000          0          0                      check-state
01010          8        848 Thu Jul 25 12:43:43 2002 deny tcp from any to any established
01020       5862     587140 Thu Jul 25 12:43:58 2002 allow tcp from any to any setup keep-state
65535      17407    2155622 Thu Jul 25 12:43:07 2002 deny ip from any to any

IPFW1 used to list connections matching dynamic rules explicitly. Has
that functionality been removed or just hasn't it been implemented
yet?
On a side-note, I've never seen "check-state" counters increment.
Shouldn't they? The rule obviously works, because if I remove it all
connections die.

IPFW1 also rewrote rules like this:
ipfw add 2000 allow tcp from any to 10.1.1.1 22 in via xl0 setup keep-state
into this:
02000 allow tcp from any to 10.1.1.1 22 keep-state in recv xl0 setup

IPFW2 doesn't, which broke my scripts.

One final question, when can we see IPFW2 as a kernel module? :-)


Regards,

Jo B. Grasmo

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message