From owner-freebsd-stable@FreeBSD.ORG  Tue Dec 13 15:14:43 2005
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@FreeBSD.ORG
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 67A4B16A41F
	for <freebsd-stable@FreeBSD.ORG>; Tue, 13 Dec 2005 15:14:43 +0000 (GMT)
	(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 653AC43D7F
	for <freebsd-stable@FreeBSD.ORG>; Tue, 13 Dec 2005 15:14:38 +0000 (GMT)
	(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (szcdsd@localhost [127.0.0.1])
	by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id jBDFEUI5025275
	for <freebsd-stable@FreeBSD.ORG>; Tue, 13 Dec 2005 16:14:31 +0100 (CET)
	(envelope-from oliver.fromme@secnetix.de)
Received: (from olli@localhost)
	by lurza.secnetix.de (8.13.4/8.13.1/Submit) id jBDFEUcu025274;
	Tue, 13 Dec 2005 16:14:30 +0100 (CET) (envelope-from olli)
Date: Tue, 13 Dec 2005 16:14:30 +0100 (CET)
Message-Id: <200512131514.jBDFEUcu025274@lurza.secnetix.de>
From: Oliver Fromme <olli@lurza.secnetix.de>
To: freebsd-stable@FreeBSD.ORG
In-Reply-To: <439D3053.3020504@optusnet.com.au>
X-Newsgroups: list.freebsd-stable
User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-STABLE (i386))
Cc: 
Subject: Re: puzzling "ipfw show" output
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: freebsd-stable@FreeBSD.ORG
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2005 15:14:43 -0000

Graham Menhennitt <gmenhennitt@optusnet.com.au> wrote:
 > I got the following output from "ipfw show" in my daily security run output email.
 > 
 > +++ /tmp/security.yri47lgA      Mon Dec 12 03:01:45 2005
 > +00522  3530 1204158 deny ip from 10.0.0.0/8 to any via sis1
 > +02522    18     784 deny tcp from any to any in via sis1 setup
 > +65530     0       0 deny ip from any to any
 > +65535     2     688 deny ip from any to any
 > 
 > Could somebody please explain to me how those packets got past rule 65530 to be 
 > stopped by (the identical) rule 65535?

In addition to the explanations already given, the above
output from "ipfw show" could also be caused by a rule
saying "skip 65535" somewhere.  ;-)

Of course, I assume that you wrote the whole rule set
yourself, so you would be aware of such a skip rule.
I just wanted to mention the possibility that rules need
not be evaluated in strict numerical order.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"C++ is the only current language making COBOL look good."
        -- Bertrand Meyer