Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Sep 2001 09:25:08 -0500
From:      David Kelly <dkelly@hiwaay.net>
To:        Nick Rogness <nick@rogness.net>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: natd/ipfw/sshd problem.
Message-ID:  <20010926092508.A20900@grumpy.dyndns.org>
In-Reply-To: <Pine.BSF.4.21.0109252208520.47372-100000@cody.jharris.com>; from nick@rogness.net on Tue, Sep 25, 2001 at 10:13:41PM -0500
References:  <200109260307.f8Q37Ww18996@grumpy.dyndns.org> <Pine.BSF.4.21.0109252208520.47372-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Sep 25, 2001 at 10:13:41PM -0500, Nick Rogness wrote:
> On Tue, 25 Sep 2001, David Kelly wrote:
> 
> > Brian Whalen writes:
> > > Is anyone doing anything about that??
> > [...]
> > > > > I find it interesting that somehow 27 packets got past 65000. Can only
> > > > > assume not all of the above rules were added at the same time.
> > > >
> > > > 	It is possible for packets to arrive before the firewall rules get
> > > > 	loaded.
> > 
> > That's why the default is to deny all. Is exactly the same to IP from
> > the outside as if the interface was not up yet.
> 
> 	Yes, but my point was that the counters will still get
> 	incremented.

They got incremented because the default rule got hits. I can't find any
fault with this behavior. "Fixing it" reminds me of the ancient battle
between HP and TI calculators where TI returned a value for sqrt(2) which
when squared on a TI calculator resulted in exactly 2.0. But HP returned
the most accurate value its precission allowed in spite of the fact this
value squared was just shy of 2.0. One disguised the error with a little
white lie, the other consistantly told the best truth it knew.

Packets got blocked. The only right thing to do is to increment the
counters.

If it bothers you then add "${fwcmd} zero" at the end of your firewall
rules.

-- 
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010926092508.A20900>