From owner-freebsd-bugs  Thu Mar 26 16:40:04 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA23139
          for freebsd-bugs-outgoing; Thu, 26 Mar 1998 16:40:04 -0800 (PST)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA23129;
          Thu, 26 Mar 1998 16:40:03 -0800 (PST)
          (envelope-from gnats)
Date: Thu, 26 Mar 1998 16:40:03 -0800 (PST)
Message-Id: <199803270040.QAA23129@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
Subject: Re: i386/6141: IPFW Rules mixup - wrong rule numbers are filtering packets
Reply-To: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The following reply was made to PR i386/6141; it has been noted by GNATS.

From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: Charlie Root <root@proxy.metro.tas.com.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: i386/6141: IPFW Rules mixup - wrong rule numbers are filtering packets
Date: Fri, 27 Mar 1998 11:33:42 +1100 (EST)

 > We use the rules to log how much traffic travels out on a particular
 > port. additionally we also block other ports. The rules seem
 > to be getting mixed up so some of the allowed ports are being
 > reported as being blocked.
 > 
 > Mar 27 09:55:22 proxy /kernel: ipfw: 5300 Deny TCP 147.109.237.5:8080 
 > 147.109.165.35:1525 in via ed0
 > Mar 27 09:56:26 proxy /kernel: ipfw: 5300 Deny TCP 147.109.237.5:8080 
 > 147.109.165.35:1525 in via ed0      
 > 
 > Here are the relevant rules:
 > $fwcmd add   5300 deny log tcp from any      to any 1525 in  via $Out
 > $fwcmd add  15900 pass     tcp from any 8080 to any      out via $In
 > $fwcmd add  16000 pass     tcp from any      to any 8080 out via $Out
 > $fwcmd add  16100 pass     tcp from any 8080 to any      in  via $In
 
 It looks to me like it is doing things correctly, as far as the ruleset 
 is written.  Why are you denying 1525? Do you have the $Out and $In round 
 the wrong way in 5300 and 15900?
 
 You do realise that rules are parsed in numeric order, don't you?
 
 Danny

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message