Date: Sun, 4 Nov 2001 00:40:18 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Anatoly Karp <karp@math.wisc.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: [Q] why does this ipfw rule not match? Message-ID: <Pine.BSF.4.21.0111040035390.66878-100000@ren.sasknow.com> In-Reply-To: <200111040628.AAA21911@erdos.math.wisc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Anatoly Karp wrote to freebsd-questions@FreeBSD.ORG: > Hello all, > > I run ipfw on 4.4-STABLE FreeBSD and my connection is working fine. > However I discovered the following very strange fact: (output edited > for clarity - I deleted some 'deny/reset' rules which are irrelevant, > due to the nature of the question) > > my-host:~# ipfw show > 00100 341566 269400058 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 08800 0 0 allow tcp from 127.0.0.1 to any Rule 8800 will never match, thanks to 200 and 300, as those are checked first. If IP is denied to and from the network 127.0.0.0/8 (rules 200 and 300, respectively), then certainly, TCP will not get through either. Don't read these words and delete rules 200 and 300, though. :-) > It appears that, contrary to what I'd expect, all TCP packets are > accepted due to rule 32000 and not 8800. This conclusion was confirmed > by connecting to random web-sites and measuring the new packet counts > given by `ipfw show` right away. 8800 wouldn't match anyway, when you're browsing web sites on other machines, because that traffic is not going through 127.0.0.1 (or the loopback interface). It is being passed on your public interface on a different (probably public) IP address. Also, TCP is a transport level protocol that works on top of IP. If you filter IP, you also filter TCP (likewise if you pass IP, you also pass TCP). > 32000 850439 51788527 allow ip from any to any > 65535 1 358 deny ip from any to any > > > Can anybody explain what's going on here?.. Why does rule 8800 > not match? > > Thank you, > -- Ryan Thompson <ryan@sasknow.com> Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0111040035390.66878-100000>