Date: Tue, 14 Apr 2009 11:23:59 -0700 From: "Justin G." <justin@ocis.net> To: freebsd-ipfw@freebsd.org Subject: Re: Only seeing incrementing counters on 'count' and not 'allow' Message-ID: <5da021490904141123r4420c2b5uc7f6e17680bc6f94@mail.gmail.com> In-Reply-To: <5da021490904141101p372f2dc4o8fb787081a8e65a9@mail.gmail.com> References: <5da021490904141101p372f2dc4o8fb787081a8e65a9@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 14, 2009 at 11:01 AM, Justin G. <justin@ocis.net> wrote: > Hello everyone, > > We've got a 6.2-RELEASE box functioning as a gateway. Today we noticed > that, when we place allow rules (we were testing at rule numbers 1-5 > to prevent any other matching rules) they weren't incrementing > properly, but when replaced with "count" rules that are identical, > they increment. The firewall is set to "OPEN" on the box and we're > using the default /etc/rc.firewall script without modifications. > > Here's an example of what's going on: > > --snip-- > [root@gateway ~]# ipfw show | head -2 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from any to = 10.10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from 10.10.0= .75 to any > [root@gateway ~]# ping 10.10.0.75 > PING 10.10.0.75 (10.10.0.75): 56 data bytes > ^C > --- 10.10.0.75 ping statistics --- > 5 packets transmitted, 0 packets received, 100% packet loss > [root@gateway ~]# ipfw show | head -2 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from any to = 10.10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from 10.10.0= .75 to any > [root@gateway ~]# ipfw add 1 count ip from any to 10.10.0.75 > 00001 count ip from any to 10.10.0.75 > [root@gateway ~]# ping 10.10.0.75 > PING 10.10.0.75 (10.10.0.75): 56 data bytes > ^C > --- 10.10.0.75 ping statistics --- > 4 packets transmitted, 0 packets received, 100% packet loss > [root@gateway ~]# ipfw show | head -3 > 00001 =A0 =A0 =A0 =A0 =A04 =A0 =A0 =A0 =A0 =A0336 count ip from any to 10= .10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from any to = 10.10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from 10.10.0= .75 to any > [root@gateway ~]# > --snip-- > > These are the firewall settings as defined in /etc/rc.conf: > --snip-- > firewall_enable=3D"YES" > firewall_logging=3D"YES" > firewall_type=3D"open" > --snip-- > > I've been puzzling over this all day and would appreciate any > direction provided :-) > > Have a great day. > Nevermind! I guess I posted too soon. The issue turned out to be that the rules were created with "allow IP from" instead of "allow ip from" -- it's interesting to me that it displays in the "ipfw show" output to be lower case. I've just verified that this also occurs on FreeBSD 7.1 -- is this intended functionality?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5da021490904141123r4420c2b5uc7f6e17680bc6f94>