From owner-freebsd-questions@FreeBSD.ORG  Mon Jun  2 11:42:33 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 529D637B444
	for <FreeBSD-questions@freebsd.org>;
	Mon,  2 Jun 2003 11:42:32 -0700 (PDT)
Received: from Danovitsch.dnsq.org (b74143.upc-b.chello.nl [212.83.74.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D636543F85
	for <FreeBSD-questions@freebsd.org>;
	Mon,  2 Jun 2003 11:42:27 -0700 (PDT)
	(envelope-from Danovitsch@Vitsch.net)
Received: from FreeBSD.Danovitsch.LAN (b83007.upc-b.chello.nl [212.83.83.7])
	by Danovitsch.dnsq.org (8.12.3p2/8.11.3) with ESMTP id h52Iastm002340;
	Mon, 2 Jun 2003 20:36:57 +0200 (CEST)
	(envelope-from Danovitsch@Vitsch.net)
Content-Type: text/plain;
  charset="iso-8859-1"
From: "Daan Vreeken [PA4DAN]" <Danovitsch@Vitsch.net>
To: Gary Aitken <freebsd@dreamchaser.org>
Date: Mon, 2 Jun 2003 20:45:58 +0200
User-Agent: KMail/1.4.3
References: <20030531000201.26C2C37B404@hub.freebsd.org>
	<3EDB7503.2070403@dreamchaser.org>
In-Reply-To: <3EDB7503.2070403@dreamchaser.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200306022045.58095.Danovitsch@Vitsch.net>
cc: FreeBSD-questions@freebsd.org
Subject: Re: ipfw final rule
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2003 18:42:33 -0000

On Monday 02 June 2003 18:02, Gary Aitken wrote:
>    I was considering turning on bridging, which requires the final ipfw
>    rule to be allow, not deny.
>    So I added a deny rule at 65534, but temporarily left the default de=
ny
>    rule in place in the kernel.
>
>    Interestingly, my log shows the following:
> > 65534   582   58547 deny ip from any to any
> > 65535     3     234 deny ip from any to any
>
> This looks like an impossible situation, since the last 3 should have b=
een
> caug ht by the previous rule.
I think they got caught in the split second between the time of flushing =
out=20
all rules and loading a new ruleset.
At that time 65535 was the only rule in the ruleset and 3 packets must ha=
ve=20
reached your machine...

grtz,
Daan