From owner-freebsd-bugs Sat Oct 4 04:40:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA13675 for bugs-outgoing; Sat, 4 Oct 1997 04:40:07 -0700 (PDT) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA13667; Sat, 4 Oct 1997 04:40:02 -0700 (PDT) Date: Sat, 4 Oct 1997 04:40:02 -0700 (PDT) Message-Id: <199710041140.EAA13667@hub.freebsd.org> To: freebsd-bugs Cc: From: "Daniel O'Callaghan" Subject: Re: kern/4687: ipfw accept ignored. Reply-To: "Daniel O'Callaghan" Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The following reply was made to PR kern/4687; it has been noted by GNATS. From: "Daniel O'Callaghan" To: David Sharnoff Cc: FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: kern/4687: ipfw accept ignored. Date: Sat, 4 Oct 1997 21:38:13 +1000 (EST) On Sat, 4 Oct 1997, David Sharnoff wrote: > I have a rule that passes a packet. I can tell that it > passes the packet because the counter goes up by one > whenever a packet goes by. > > I have another rule that rejects packets. > > Both rules are firing on the same packet. > > % ipfw -a list | grep 111 > 13000 24 2016 allow udp from 209.66.121.0/27 to 140.174.82.0/26 111 in via ethb17 > 13000 24 2016 deny log udp from any to 140.174.82.0/26 111 If you look at the second rule carefully, you'll see that you have not defined a direction on it. What is happening is that the packet is accepted *in* using the first rule, and denied from leaving (as this is a router) by the second rule. Fix: Add *in* keyword to deny rule (you don't need to specify an interface). Danny /* Daniel O'Callaghan */ /* HiLink Internet danny@hilink.com.au */ /* FreeBSD - works hard, plays hard... danny@freebsd.org */