From owner-freebsd-questions@FreeBSD.ORG Sat Nov 15 22:04:43 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E43B31065674 for ; Sat, 15 Nov 2008 22:04:43 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: from smtp125.sbc.mail.sp1.yahoo.com (smtp125.sbc.mail.sp1.yahoo.com [69.147.65.184]) by mx1.freebsd.org (Postfix) with SMTP id D1A188FC18 for ; Sat, 15 Nov 2008 22:04:43 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: (qmail 87691 invoked from network); 15 Nov 2008 21:38:03 -0000 Received: from unknown (HELO ?192.168.2.14?) (jguojun@75.37.2.43 with plain) by smtp125.sbc.mail.sp1.yahoo.com with SMTP; 15 Nov 2008 21:38:03 -0000 X-YMail-OSG: U3QdqWsVM1kFQUyMNBbD_ENy9LroQxs_4nbeez3GnWNCir9Q7Uy02MnmpCUPFECFVIiAxNefHSZu_Lwf3KIFwglqfvIGcrUIVb2gLhcOuXfRSp3duyvbyYiWmFFnzmBlBdA- X-Yahoo-Newman-Property: ymail-3 Message-ID: <491F413A.4020108@gmail.com> Date: Sat, 15 Nov 2008 13:38:02 -0800 From: "Jin Guojun[VFF]" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.13) Gecko/20071201 X-Accept-Language: en, zh, zh-CN MIME-Version: 1.0 To: questions@freebsd.org, ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: some ipfw filter does not function under Release 6.3 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2008 22:04:44 -0000 Below is set of ipfw rules, but it seems that not all rules are functioning properly. From rule 361 to first two of rule 567 are not blocking any traffic and not measuring any traffic. Is this bacuse tcp rule )330) can overwrite the ip rule? or this is a known issue in R-6.3? The second and third rules in rule set 567 seem working well. -Jin ---------------- ipfw rule sets --------- 00330 3108378 2700826874 allow tcp from any to any established 00361 0 0 deny ip from 203.83.248.93 to any 00361 0 0 deny ip from 72.30.142.215 to any 00567 0 0 deny ip from 193.200.241.171 to any 00567 0 0 deny ip from 221.192.199.36 to any 00567 3 180 deny ip from 118.153.18.186 to any 00567 3 180 deny ip from 203.78.214.180 to any 00567 0 0 deny ip from 118.219.232.123 to any 65500 220 20043 allow udp from any to any 65535 2 120 deny ip from any to any ------ traffic captured by tcpdump behind ipfw machine ----- 04:12:20.940095 IP 221.192.199.36.12200 > 192.168.2.14.80: S 200229998:200229998(0) win 8192 04:12:21.204430 IP 221.192.199.36.12200 > 192.168.2.14.80: R 200229999:200229999(0) win 0 04:31:16.262402 IP 221.192.199.36.12200 > 192.168.2.14.80: S 200233658:200233658(0) win 8192 04:31:16.541868 IP 221.192.199.36.12200 > 192.168.2.14.80: R 200233659:200233659(0) win 0 05:27:04.031434 IP 221.192.199.36.12200 > 192.168.2.14.80: S 200244634:200244634(0) win 8192 05:27:04.303262 IP 221.192.199.36.12200 > 192.168.2.14.80: R 200244635:200244635(0) win 0 05:28:18.099443 IP 221.192.199.36.3362 > 192.168.2.14.80: S 2422872529:2422872529(0) win 65535 05:28:18.352083 IP 221.192.199.36.3362 > 192.168.2.14.80: . ack 3968474717 win 65535 05:28:18.367745 IP 221.192.199.36.3362 > 192.168.2.14.80: P 0:205(205) ack 1 win 65535 05:28:18.621538 IP 221.192.199.36.3362 > 192.168.2.14.80: R 205:205(0) ack 473 win 0