From owner-freebsd-questions@FreeBSD.ORG  Mon Nov 17 03:06:33 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A1C101065670;
	Mon, 17 Nov 2008 03:06:33 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227])
	by mx1.freebsd.org (Postfix) with ESMTP id 117248FC0C;
	Mon, 17 Nov 2008 03:06:32 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mAH36UH4093110;
	Mon, 17 Nov 2008 14:06:30 +1100 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Mon, 17 Nov 2008 14:06:30 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: "Jin Guojun[VFF]" <jguojun@gmail.com>
In-Reply-To: <4920C685.1050004@gmail.com>
Message-ID: <20081117134532.S70117@sola.nimnet.asn.au>
References: <491F413A.4020108@gmail.com>
	<20081115223556.GA45503@owl.midgard.homeip.net>
	<491F54A0.9090702@gmail.com> <491F6466.40309@gmail.com>
	<20081116224655.J70117@sola.nimnet.asn.au> <4920C685.1050004@gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: ipfw@freebsd.org, questions@freebsd.org
Subject: Re: some ipfw filter does not function under Release 6.3
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2008 03:06:33 -0000

On Sun, 16 Nov 2008, Jin Guojun[VFF] wrote:
 > Ian Smith wrote:
 > 
 > > On Sat, 15 Nov 2008, Jin Guojun[VFF] wrote:
 > > 
 > > >    I think this is a bug in ipfw because after change the rule order, the
 > > >    problem persists:
 > > >    00566    26     3090 deny ip from 221.192.199.36 to any
 > > >    65330  2018   983473 allow tcp from any to any established
 > > >    65535     0        0 deny ip from any to any
 > > 
 > > Are you saying that the packets shown below from 221.192.199.36 arrived
 > > =after= you added rule 566, which denys all traffic from that address?
 > > 
 > > Are you showing us your entire ruleset; it is just those three rules?
 > > 
 > > Is the tcpdump shown running on the same box as ipfw, or another box?  
 > > If another box, how is it connected through the firewall, to the net?
 > > 
 > > Which machine performs NAT for your network?  None of this is obvious.
 > > 
 > > Please show output of 'ifconfig' and 'netstat -rn' on the ipfw box?

 > I have found the problem due to the NIC naming change after motherboard
 > upgrading.
 > The em0 was LAN port, but now it is WAN port. So, the following rule caused
 > Sync coming in:
 > 
 > 00123     12      528 allow tcp from any to 192.168.0.0/16 via em0 setup

Ahah!

 > This is my configuration fault, and we can close PR kern/128902.
 > 
 > Thanks,
 > -Jin

Glad you found it so soon, Jin; that was one very short-lived PR :)

cheers, Ian