From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 3 00:51:57 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE2AA16A41F for ; Wed, 3 Aug 2005 00:51:57 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1790B43D46 for ; Wed, 3 Aug 2005 00:51:56 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] (nbr.matik.com.br [200.152.82.190]) by msrv.matik.com.br (8.13.1/8.13.1) with ESMTP id j730pvYt013182 for ; Tue, 2 Aug 2005 21:51:57 -0300 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik To: freebsd-ipfw@freebsd.org Date: Tue, 2 Aug 2005 21:51:45 -0300 User-Agent: KMail/1.8.1 References: <200508021746.j72Hk6Wq006760@lurza.secnetix.de> In-Reply-To: <200508021746.j72Hk6Wq006760@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200508022151.45925.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: Another bug in IPFW@ ...? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2005 00:51:57 -0000 On Tuesday 02 August 2005 14:46, Oliver Fromme wrote: > > P.S. looks very strange "out not recv any xmit" > > It's perfectly valid syntax according to ipfw(8). (1+1-1)/1 also ... ;) > > 1. "out" --> match only outgoing packets. > > 2. "not recv any" --> match packets that haven't been > received through any interface (i.e. which originate > from the local host). It's simply a negation of > "recv any", see the ipfw(8) manpage. > > 3. "xmit dc0" --> match packets which are going to be > transmitted through the dc0 interface. > even if I agree to your logic aspect in general I thought out and xmit is probably exactly the same still especially as you set src-ip and dst-ip so the interface where this packages are xmit is defined by the routes localhost normally runs on lo0 which is an interface as any other so which ghost packages you try to catch here? probably this rule you try is a deny all rule since any package is beeing received by some IF before it can go out or xmit Hans A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br