Date: Tue, 14 Apr 2009 11:01:19 -0700 From: "Justin G." <justin@ocis.net> To: freebsd-ipfw@freebsd.org Subject: Only seeing incrementing counters on 'count' and not 'allow' Message-ID: <5da021490904141101p372f2dc4o8fb787081a8e65a9@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello everyone, We've got a 6.2-RELEASE box functioning as a gateway. Today we noticed that, when we place allow rules (we were testing at rule numbers 1-5 to prevent any other matching rules) they weren't incrementing properly, but when replaced with "count" rules that are identical, they increment. The firewall is set to "OPEN" on the box and we're using the default /etc/rc.firewall script without modifications. Here's an example of what's going on: --snip-- [root@gateway ~]# ipfw show | head -2 00002 0 0 allow ip from any to 10.10.0.75 00002 0 0 allow ip from 10.10.0.75 to any [root@gateway ~]# ping 10.10.0.75 PING 10.10.0.75 (10.10.0.75): 56 data bytes ^C --- 10.10.0.75 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss [root@gateway ~]# ipfw show | head -2 00002 0 0 allow ip from any to 10.10.0.75 00002 0 0 allow ip from 10.10.0.75 to any [root@gateway ~]# ipfw add 1 count ip from any to 10.10.0.75 00001 count ip from any to 10.10.0.75 [root@gateway ~]# ping 10.10.0.75 PING 10.10.0.75 (10.10.0.75): 56 data bytes ^C --- 10.10.0.75 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss [root@gateway ~]# ipfw show | head -3 00001 4 336 count ip from any to 10.10.0.75 00002 0 0 allow ip from any to 10.10.0.75 00002 0 0 allow ip from 10.10.0.75 to any [root@gateway ~]# --snip-- These are the firewall settings as defined in /etc/rc.conf: --snip-- firewall_enable="YES" firewall_logging="YES" firewall_type="open" --snip-- I've been puzzling over this all day and would appreciate any direction provided :-) Have a great day.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5da021490904141101p372f2dc4o8fb787081a8e65a9>