From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 14 18:24:16 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25D4F1065702 for ; Tue, 14 Apr 2009 18:24:16 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id 891ED8FC19 for ; Tue, 14 Apr 2009 18:24:15 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: by ewy19 with SMTP id 19so2658698ewy.43 for ; Tue, 14 Apr 2009 11:24:14 -0700 (PDT) MIME-Version: 1.0 Sender: justin@sigsegv.ca Received: by 10.210.91.7 with SMTP id o7mr3205294ebb.62.1239733454221; Tue, 14 Apr 2009 11:24:14 -0700 (PDT) In-Reply-To: <5da021490904141101p372f2dc4o8fb787081a8e65a9@mail.gmail.com> References: <5da021490904141101p372f2dc4o8fb787081a8e65a9@mail.gmail.com> From: "Justin G." Date: Tue, 14 Apr 2009 11:23:59 -0700 X-Google-Sender-Auth: 98ebab2049385cc8 Message-ID: <5da021490904141123r4420c2b5uc7f6e17680bc6f94@mail.gmail.com> To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Only seeing incrementing counters on 'count' and not 'allow' X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 18:24:18 -0000 On Tue, Apr 14, 2009 at 11:01 AM, Justin G. wrote: > Hello everyone, > > We've got a 6.2-RELEASE box functioning as a gateway. Today we noticed > that, when we place allow rules (we were testing at rule numbers 1-5 > to prevent any other matching rules) they weren't incrementing > properly, but when replaced with "count" rules that are identical, > they increment. The firewall is set to "OPEN" on the box and we're > using the default /etc/rc.firewall script without modifications. > > Here's an example of what's going on: > > --snip-- > [root@gateway ~]# ipfw show | head -2 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from any to = 10.10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from 10.10.0= .75 to any > [root@gateway ~]# ping 10.10.0.75 > PING 10.10.0.75 (10.10.0.75): 56 data bytes > ^C > --- 10.10.0.75 ping statistics --- > 5 packets transmitted, 0 packets received, 100% packet loss > [root@gateway ~]# ipfw show | head -2 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from any to = 10.10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from 10.10.0= .75 to any > [root@gateway ~]# ipfw add 1 count ip from any to 10.10.0.75 > 00001 count ip from any to 10.10.0.75 > [root@gateway ~]# ping 10.10.0.75 > PING 10.10.0.75 (10.10.0.75): 56 data bytes > ^C > --- 10.10.0.75 ping statistics --- > 4 packets transmitted, 0 packets received, 100% packet loss > [root@gateway ~]# ipfw show | head -3 > 00001 =A0 =A0 =A0 =A0 =A04 =A0 =A0 =A0 =A0 =A0336 count ip from any to 10= .10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from any to = 10.10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from 10.10.0= .75 to any > [root@gateway ~]# > --snip-- > > These are the firewall settings as defined in /etc/rc.conf: > --snip-- > firewall_enable=3D"YES" > firewall_logging=3D"YES" > firewall_type=3D"open" > --snip-- > > I've been puzzling over this all day and would appreciate any > direction provided :-) > > Have a great day. > Nevermind! I guess I posted too soon. The issue turned out to be that the rules were created with "allow IP from" instead of "allow ip from" -- it's interesting to me that it displays in the "ipfw show" output to be lower case. I've just verified that this also occurs on FreeBSD 7.1 -- is this intended functionality?