Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Feb 2020 17:00:25 +0300
From:      Andreas X <hamdi20193d@gmail.com>
To:        Robert Huff <roberthuff@rcn.com>
Cc:        =?UTF-8?Q?Trond_Endrest=C3=B8l?= <trond.endrestol@ximalas.info>,  Tim Daneliuk <tundra@tundraware.com>,  FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Blacklist IP file for IPFW?
Message-ID:  <CAEW8WPvgU1EHD4jj0T5q3aucgSgXsZtHcK5Jq%2BdSgsgq5u9DwQ@mail.gmail.com>
In-Reply-To: <24139.58932.915276.752500@jerusalem.litteratus.org>
References:  <CAEW8WPsMvq7bdAQ4cu=RYZQ=PfXMmbUUQ-yi_0qUAjt-nWTf=Q@mail.gmail.com> <9585fce4-b48d-a210-d62f-a2100c0cf929@tundraware.com> <CAEW8WPunc9%2B-7qybkrnDep3R08ApgjBkA2n=fi%2ByU8psTJRkNg@mail.gmail.com> <CAEW8WPtqeFDahGMN8h4qijXe6oug7H6uEyG2hTuqs53G2K98eA@mail.gmail.com> <e3aa5e53-606b-7ad4-b529-5891cf509fbf@tundraware.com> <alpine.BSF.2.22.395.2002180821310.6036@enterprise.ximalas.info> <CAEW8WPuirfT-uq2XOBf%2B1w6StXQLEtSpCgAEELL5pLtthk9tog@mail.gmail.com> <24139.58932.915276.752500@jerusalem.litteratus.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello Robert,

Thanks for your reply. Sure, here's the entire IPFW ruleset:
https://hastepaste.com/view/PqDX5sl

(allow IPs are just Cloudflare's IPs)

Please see the line: 00350  15    882 deny ip from table(1) to any (BANS
the IPs from table 1 successfully)
BUT if that line would be: 65500  15    882 deny ip from table(1) to any
(It doesn't ban anything)

Thank you all,
Regards.




Robert Huff <roberthuff@rcn.com>, 18 =C5=9Eub 2020 Sal, 16:27 tarihinde =C5=
=9Funu
yazd=C4=B1:

>
> Andreas X writes:
>
> >  Question is: If I don't add the rule number 00350 to that command,
> >  that rule gets located to 65000s, and ipfw doesn't block the IPs in
> >  table, at all. I wanted to ask why such react, shouldn't IPFW still
> >  do the job (deny) even if the rule number belongs to last ones?
>
>         I am not an IPFW expert ... but:
>         It is my understanding IPFW stops processing a packet after the
> first rule that matches that packet.  Am I wrong?
>         If not, this suggests somewhere between rule 351 and rule
> 650000(-ish) is a rule that matches the packet and keeps it from
> getting processed by anything lower in the list.
>         Would you be willing to publish your entire IPFW ruleset?
>
>
>
>                         Respectfully,
>
>
>                                 Robert Huff
>
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEW8WPvgU1EHD4jj0T5q3aucgSgXsZtHcK5Jq%2BdSgsgq5u9DwQ>