Date: Mon, 2 Jun 2003 20:45:58 +0200 From: "Daan Vreeken [PA4DAN]" <Danovitsch@Vitsch.net> To: Gary Aitken <freebsd@dreamchaser.org> Cc: FreeBSD-questions@freebsd.org Subject: Re: ipfw final rule Message-ID: <200306022045.58095.Danovitsch@Vitsch.net> In-Reply-To: <3EDB7503.2070403@dreamchaser.org> References: <20030531000201.26C2C37B404@hub.freebsd.org> <3EDB7503.2070403@dreamchaser.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 02 June 2003 18:02, Gary Aitken wrote: > I was considering turning on bridging, which requires the final ipfw > rule to be allow, not deny. > So I added a deny rule at 65534, but temporarily left the default de= ny > rule in place in the kernel. > > Interestingly, my log shows the following: > > 65534 582 58547 deny ip from any to any > > 65535 3 234 deny ip from any to any > > This looks like an impossible situation, since the last 3 should have b= een > caug ht by the previous rule. I think they got caught in the split second between the time of flushing = out=20 all rules and loading a new ruleset. At that time 65535 was the only rule in the ruleset and 3 packets must ha= ve=20 reached your machine... grtz, Daan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306022045.58095.Danovitsch>