From owner-freebsd-bugs Thu Mar 26 15:10:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA08723 for freebsd-bugs-outgoing; Thu, 26 Mar 1998 15:10:03 -0800 (PST) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: (from gnats@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA08712; Thu, 26 Mar 1998 15:10:02 -0800 (PST) (envelope-from gnats) Received: from proxy.metro.tas.com.au ([147.109.165.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA08270 for ; Thu, 26 Mar 1998 15:07:44 -0800 (PST) (envelope-from root@proxy.metro.tas.com.au) Received: (from root@localhost) by proxy.metro.tas.com.au (8.8.8/8.8.5) id KAA17071; Fri, 27 Mar 1998 10:07:27 +1100 (EST) Message-Id: <199803262307.KAA17071@proxy.metro.tas.com.au> Date: Fri, 27 Mar 1998 10:07:27 +1100 (EST) From: Charlie Root Reply-To: root@proxy.metro.tas.com.au To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: i386/6141: IPFW Rules mixup - wrong rule numbers are filtering packets Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 6141 >Category: i386 >Synopsis: IPFW rules are incorrectly filtering packets randomly >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 26 15:10:01 PST 1998 >Last-Modified: >Originator: Charlie & >Organization: Metro Tasmania Pty Ltd >Release: FreeBSD 3.0-980221-SNAP i386 >Environment: The machine is used as a gateway/proxy machine. >Description: We use the rules to log how much traffic travels out on a particular port. additionally we also block other ports. The rules seem to be getting mixed up so some of the allowed ports are being reported as being blocked. Mar 27 09:55:22 proxy /kernel: ipfw: 5300 Deny TCP 147.109.237.5:8080 147.109.165.35:1525 in via ed0 Mar 27 09:56:26 proxy /kernel: ipfw: 5300 Deny TCP 147.109.237.5:8080 147.109.165.35:1525 in via ed0 Here are the relevant rules: $fwcmd add 5300 deny log tcp from any to any 1525 in via $Out $fwcmd add 15900 pass tcp from any 8080 to any out via $In $fwcmd add 16000 pass tcp from any to any 8080 out via $Out $fwcmd add 16100 pass tcp from any 8080 to any in via $In Seems to occur more as the number of rules increase, currently there are approximately 40 rules. >How-To-Repeat: Unknown... >Fix: Unknown.... (Lot of help aren't I ) >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message