From owner-freebsd-questions@FreeBSD.ORG  Mon Jun  2 10:11:41 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C5E8C37B401
	for <freebsd-questions@freebsd.org>;
	Mon,  2 Jun 2003 10:11:41 -0700 (PDT)
Received: from mx.tele-kom.ru (mx.tele-kom.ru [213.80.148.6])
	by mx1.FreeBSD.org (Postfix) with SMTP id A2EEE43F93
	for <freebsd-questions@freebsd.org>;
	Mon,  2 Jun 2003 10:11:39 -0700 (PDT)
	(envelope-from doublef@tele-kom.ru)
Received: (qmail 93091 invoked by uid 555); 2 Jun 2003 21:11:37 +0400
Message-ID: <20030602171137.93088.qmail@mx.tele-kom.ru>
Received: from  (213.80.149.241)
	by t-k.ru with TeleMail/2 id 1054573896-93063
	for doublef@tele-kom.ru; Mon, Jun  2 21:11:36 2003 +0400 (MSD)
From: DoubleF <doublef@tele-kom.ru>
To: Gary Aitken <freebsd@dreamchaser.org>
Date: Mon, 1 Jun 2003 21:10:03 MSD 
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
cc: freebsd-questions@freebsd.org
Subject: Re: ipfw final rule
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2003 17:11:42 -0000

Gary Aitken wrote:
> I was considering turning on bridging, which requires the final ipfw
> rule to be allow, not deny.
> So I added a deny rule at 65534, but temporarily left the default deny
> rule in place in the kernel.
> Interestingly, my log shows the following:
>> 65534   582   58547 deny ip from any to any
>> 65535     3     234 deny ip from any to any
> This looks like an impossible situation, since the last 3 should have
> been caught by the previous rule.
> I presume those last three denied packets are really not ip packets at
> all, but some other packet like arp?

My guess is just that those 3 packets were caught just before the final
65534th deny rule was added. The fact that you indeed have some denied
packets (582) in 'normal' state makes that quite probable. Try zeroing
the stats out and leave it for a while. There should be 0 in 65535 rule
then.

HTH,
				DoubleF