From owner-freebsd-questions  Wed Sep 26  7:25:19 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from grumpy.dyndns.org (user-24-214-57-209.knology.net [24.214.57.209])
	by hub.freebsd.org (Postfix) with ESMTP id 7A5C237B419
	for <freebsd-questions@FreeBSD.ORG>; Wed, 26 Sep 2001 07:25:16 -0700 (PDT)
Received: (from dkelly@localhost)
	by grumpy.dyndns.org (8.11.6/8.11.6) id f8QEP8Y20931;
	Wed, 26 Sep 2001 09:25:08 -0500 (CDT)
	(envelope-from dkelly)
Date: Wed, 26 Sep 2001 09:25:08 -0500
From: David Kelly <dkelly@hiwaay.net>
To: Nick Rogness <nick@rogness.net>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: natd/ipfw/sshd problem.
Message-ID: <20010926092508.A20900@grumpy.dyndns.org>
References: <200109260307.f8Q37Ww18996@grumpy.dyndns.org> <Pine.BSF.4.21.0109252208520.47372-100000@cody.jharris.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0109252208520.47372-100000@cody.jharris.com>; from nick@rogness.net on Tue, Sep 25, 2001 at 10:13:41PM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Tue, Sep 25, 2001 at 10:13:41PM -0500, Nick Rogness wrote:
> On Tue, 25 Sep 2001, David Kelly wrote:
> 
> > Brian Whalen writes:
> > > Is anyone doing anything about that??
> > [...]
> > > > > I find it interesting that somehow 27 packets got past 65000. Can only
> > > > > assume not all of the above rules were added at the same time.
> > > >
> > > > 	It is possible for packets to arrive before the firewall rules get
> > > > 	loaded.
> > 
> > That's why the default is to deny all. Is exactly the same to IP from
> > the outside as if the interface was not up yet.
> 
> 	Yes, but my point was that the counters will still get
> 	incremented.

They got incremented because the default rule got hits. I can't find any
fault with this behavior. "Fixing it" reminds me of the ancient battle
between HP and TI calculators where TI returned a value for sqrt(2) which
when squared on a TI calculator resulted in exactly 2.0. But HP returned
the most accurate value its precission allowed in spite of the fact this
value squared was just shy of 2.0. One disguised the error with a little
white lie, the other consistantly told the best truth it knew.

Packets got blocked. The only right thing to do is to increment the
counters.

If it bothers you then add "${fwcmd} zero" at the end of your firewall
rules.

-- 
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message