From owner-freebsd-bugs  Sat Oct  4 10:00:04 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA23717
          for bugs-outgoing; Sat, 4 Oct 1997 10:00:04 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA23696;
          Sat, 4 Oct 1997 10:00:01 -0700 (PDT)
Date: Sat, 4 Oct 1997 10:00:01 -0700 (PDT)
Message-Id: <199710041700.KAA23696@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: David Muir Sharnoff <muir@idiom.com>
Subject: Re: kern/4687: ipfw accept ignored. 
Reply-To: David Muir Sharnoff <muir@idiom.com>
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR kern/4687; it has been noted by GNATS.

From: David Muir Sharnoff <muir@idiom.com>
To: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/4687: ipfw accept ignored. 
Date: Sat, 4 Oct 1997 09:56:43 -0700 (PDT)

 * > 	% ipfw -a list | grep 111
 * > 	13000         24       2016 allow udp from 209.66.121.0/27 to 140.174.82.0/26 111 in via ethb17
 * > 	13000         24       2016 deny log udp from any to 140.174.82.0/26 111
 * 
 * If you look at the second rule carefully, you'll see that you have not 
 * defined a direction on it.  What is happening is that the packet is 
 * accepted *in* using the first rule, and denied from leaving (as this is 
 * a router) by the second rule.
 * 
 * Fix: Add *in* keyword to deny rule (you don't need to specify an interface).
 
 Ah, I see!  I didn't realize the packet got tested twice.  It makes
 sense in retrospect.
 
 Thank you for the clue.
 
 -Dave