Date: Mon, 1 Jun 2003 21:10:03 MSD From: DoubleF <doublef@tele-kom.ru> To: Gary Aitken <freebsd@dreamchaser.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw final rule Message-ID: <20030602171137.93088.qmail@mx.tele-kom.ru>
next in thread | raw e-mail | index | archive | help
Gary Aitken wrote: > I was considering turning on bridging, which requires the final ipfw > rule to be allow, not deny. > So I added a deny rule at 65534, but temporarily left the default deny > rule in place in the kernel. > Interestingly, my log shows the following: >> 65534 582 58547 deny ip from any to any >> 65535 3 234 deny ip from any to any > This looks like an impossible situation, since the last 3 should have > been caught by the previous rule. > I presume those last three denied packets are really not ip packets at > all, but some other packet like arp? My guess is just that those 3 packets were caught just before the final 65534th deny rule was added. The fact that you indeed have some denied packets (582) in 'normal' state makes that quite probable. Try zeroing the stats out and leave it for a while. There should be 0 in 65535 rule then. HTH, DoubleF
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030602171137.93088.qmail>