Date: Sat, 4 Oct 1997 04:40:02 -0700 (PDT) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: freebsd-bugs Subject: Re: kern/4687: ipfw accept ignored. Message-ID: <199710041140.EAA13667@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/4687; it has been noted by GNATS. From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: David Sharnoff <muir@ping.idiom.com> Cc: FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: kern/4687: ipfw accept ignored. Date: Sat, 4 Oct 1997 21:38:13 +1000 (EST) On Sat, 4 Oct 1997, David Sharnoff wrote: > I have a rule that passes a packet. I can tell that it > passes the packet because the counter goes up by one > whenever a packet goes by. > > I have another rule that rejects packets. > > Both rules are firing on the same packet. > > % ipfw -a list | grep 111 > 13000 24 2016 allow udp from 209.66.121.0/27 to 140.174.82.0/26 111 in via ethb17 > 13000 24 2016 deny log udp from any to 140.174.82.0/26 111 If you look at the second rule carefully, you'll see that you have not defined a direction on it. What is happening is that the packet is accepted *in* using the first rule, and denied from leaving (as this is a router) by the second rule. Fix: Add *in* keyword to deny rule (you don't need to specify an interface). Danny /* Daniel O'Callaghan */ /* HiLink Internet <http://www.hilink.com.au/>; danny@hilink.com.au */ /* FreeBSD - works hard, plays hard... danny@freebsd.org */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710041140.EAA13667>