From owner-freebsd-hackers  Wed Aug 27 21:17:38 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id VAA05725
          for hackers-outgoing; Wed, 27 Aug 1997 21:17:38 -0700 (PDT)
Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA05720
          for <freebsd-hackers@freebsd.org>; Wed, 27 Aug 1997 21:17:30 -0700 (PDT)
Received: (from danny@localhost)
	by panda.hilink.com.au (8.8.5/8.8.5) id OAA06381;
	Thu, 28 Aug 1997 14:16:37 +1000 (EST)
Date: Thu, 28 Aug 1997 14:16:36 +1000 (EST)
From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: Tim Baur <tbaur@esgroup.net>
cc: freebsd-hackers@freebsd.org
Subject: Re: ipfw configuration. 
In-Reply-To: <Pine.BSI.3.96.970827201849.21649A-100000@oblivion.esgroup.net>
Message-ID: <Pine.BSF.3.91.970828140920.243E-100000@panda.hilink.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk



You only seem to be allowing traffic to and from fw-kam, and not through 
it.  Maybe that's what you intended.  ed1 and ed0 should work the same, 
just make sure you get the irq right - not conflicting with another device.
The ruleset looks OK to me, but you might want to also add the rule:

65000 deny log all from any to any

That does the same thing as the final 65535 rule, but logs the packet so 
you can see more closely why it was not matched by an earlier rule.
You'll see the log message on the console and in /var/log/messages.

Danny

/*  Daniel O'Callaghan                                                     */
/*  HiLink Internet <http://www.hilink.com.au/>       danny@hilink.com.au  */
/*  FreeBSD - works hard, plays hard...                 danny@freebsd.org  */