From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 14 18:30:41 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5819E1065680 for ; Tue, 14 Apr 2009 18:30:41 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id EDC9D8FC15 for ; Tue, 14 Apr 2009 18:30:40 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: by ewy19 with SMTP id 19so2661714ewy.43 for ; Tue, 14 Apr 2009 11:30:40 -0700 (PDT) MIME-Version: 1.0 Sender: justin@sigsegv.ca Received: by 10.210.131.1 with SMTP id e1mr5031843ebd.3.1239732094423; Tue, 14 Apr 2009 11:01:34 -0700 (PDT) From: "Justin G." Date: Tue, 14 Apr 2009 11:01:19 -0700 X-Google-Sender-Auth: e0dfee71c87d0e55 Message-ID: <5da021490904141101p372f2dc4o8fb787081a8e65a9@mail.gmail.com> To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Only seeing incrementing counters on 'count' and not 'allow' X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 18:30:41 -0000 Hello everyone, We've got a 6.2-RELEASE box functioning as a gateway. Today we noticed that, when we place allow rules (we were testing at rule numbers 1-5 to prevent any other matching rules) they weren't incrementing properly, but when replaced with "count" rules that are identical, they increment. The firewall is set to "OPEN" on the box and we're using the default /etc/rc.firewall script without modifications. Here's an example of what's going on: --snip-- [root@gateway ~]# ipfw show | head -2 00002 0 0 allow ip from any to 10.10.0.75 00002 0 0 allow ip from 10.10.0.75 to any [root@gateway ~]# ping 10.10.0.75 PING 10.10.0.75 (10.10.0.75): 56 data bytes ^C --- 10.10.0.75 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss [root@gateway ~]# ipfw show | head -2 00002 0 0 allow ip from any to 10.10.0.75 00002 0 0 allow ip from 10.10.0.75 to any [root@gateway ~]# ipfw add 1 count ip from any to 10.10.0.75 00001 count ip from any to 10.10.0.75 [root@gateway ~]# ping 10.10.0.75 PING 10.10.0.75 (10.10.0.75): 56 data bytes ^C --- 10.10.0.75 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss [root@gateway ~]# ipfw show | head -3 00001 4 336 count ip from any to 10.10.0.75 00002 0 0 allow ip from any to 10.10.0.75 00002 0 0 allow ip from 10.10.0.75 to any [root@gateway ~]# --snip-- These are the firewall settings as defined in /etc/rc.conf: --snip-- firewall_enable="YES" firewall_logging="YES" firewall_type="open" --snip-- I've been puzzling over this all day and would appreciate any direction provided :-) Have a great day.