From owner-freebsd-ipfw Tue Feb 29 10:23:39 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 10A8C37BC61 for ; Tue, 29 Feb 2000 10:23:37 -0800 (PST) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id KAA17444; Tue, 29 Feb 2000 10:23:37 -0800 (PST) From: Archie Cobbs Message-Id: <200002291823.KAA17444@bubba.whistle.com> Subject: Re: ipfw and the GRE protocol In-Reply-To: <002701bf8090$4934b460$43110d0a@chade> from "Chad K. Bisk" at "Feb 26, 2000 02:32:53 pm" To: ckbisk@bigfoot.com (Chad K. Bisk) Date: Tue, 29 Feb 2000 10:23:37 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Chad K. Bisk writes: > How does rule 65535 ever get packets? > > freebsd# ipfw list > 00100 divert 8668 ip from any to any via ed1 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 10.0.0.0/8 to any in recv ed1 > 00400 deny ip from 111.222.33.0/24 to any in recv fxp0 > 00500 deny ip from 192.168.0.0/16 to any via ed1 > 00600 deny ip from any to 192.168.0.0/16 via ed1 > 00700 deny ip from 172.16.0.0/12 to any via ed1 > 00800 deny ip from any to 172.16.0.0/12 via ed1 > 00900 allow tcp from any to any established > 01000 allow tcp from any to 111.222.33.44 25 setup > 01100 allow tcp from any to 111.222.33.44 53 setup > 01200 allow tcp from any to 111.222.33.44 80 setup > 01300 allow tcp from any to any setup > 01400 allow udp from any 53 to 111.222.33.44 > 01500 allow udp from 111.222.33.44 to any 53 > 01600 allow udp from any 123 to 111.222.33.44 > 01700 allow udp from 111.222.33.44 to any 123 > 65000 allow ip from any to any > 65535 deny ip from any to any > freebsd# ipfw show > 00100 538708 242885311 divert 8668 ip from any to any via ed1 > 00100 12 832 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 912 110044 deny ip from 10.0.0.0/8 to any in recv ed1 > 00400 0 0 deny ip from 111.222.33.0/24 to any in recv fxp0 > 00500 0 0 deny ip from 192.168.0.0/16 to any via ed1 > 00600 0 0 deny ip from any to 192.168.0.0/16 via ed1 > 00700 0 0 deny ip from 172.16.0.0/12 to any via ed1 > 00800 0 0 deny ip from any to 172.16.0.0/12 via ed1 > 00900 935726 468654385 allow tcp from any to any established > 01000 18 792 allow tcp from any to 111.222.33.44 25 setup > 01100 2 80 allow tcp from any to 111.222.33.44 53 setup > 01200 3 124 allow tcp from any to 111.222.33.44 80 setup > 01300 23818 1088084 allow tcp from any to any setup > 01400 204 43821 allow udp from any 53 to 111.222.33.44 > 01500 3190 197690 allow udp from 111.222.33.44 to any 53 > 01600 3113 236588 allow udp from any 123 to 111.222.33.44 > 01700 3153 239628 allow udp from 111.222.33.44 to any 123 > 65000 66466 9761689 allow ip from any to any > 65535 4 463 deny ip from any to any > > It gets 2 during startup and 2 later fairly consistently. It's getting packets when the other rules are not there.. presumably breif windows of time at startup and restart, etc. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message