From owner-freebsd-current  Fri Jun 28 05:04:06 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id FAA28775
          for current-outgoing; Fri, 28 Jun 1996 05:04:06 -0700 (PDT)
Received: from shogun.tdktca.com ([206.26.1.21])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA28770;
          Fri, 28 Jun 1996 05:04:04 -0700 (PDT)
Received: from shogun.tdktca.com (daemon@localhost) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id HAA05960; Fri, 28 Jun 1996 07:05:20 -0500 (CDT)
Received: from orion.fa.tdktca.com ([163.49.131.130]) by shogun.tdktca.com (8.7.2/8.7.2) with SMTP id HAA05954; Fri, 28 Jun 1996 07:05:18 -0500 (CDT)
Received: from orion (alex@localhost [127.0.0.1]) by orion.fa.tdktca.com (8.6.12/8.6.9) with SMTP id HAA12826; Fri, 28 Jun 1996 07:06:48 -0500
Message-ID: <31D3CAD7.1782696E@fa.tdktca.com>
Date: Fri, 28 Jun 1996 07:06:47 -0500
From: Alex Nash <alex@fa.tdktca.com>
Organization: TDK Factory Automation
X-Mailer: Mozilla 2.0 (X11; I; Linux 1.2.13 i586)
MIME-Version: 1.0
To: phk@FreeBSD.ORG
CC: nate@mt.sri.com, current@FreeBSD.ORG
Subject: Re: IPFW bugs? (fwd)
References: <Pine.BSI.3.91.960628054736.20070I-100000@Venus.mcs.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> >> It's certainly a bug that you have rules with the same number, that
> >> looks VERY weird to me, also where was your 65535 block all rule ?
> >
> >I set them to be the same #.  Should I not?
> no, I thought it was impossible to do so actually, and intended it to
> be for that matter.  Have same number makes it harder too understand
> which one did that, and may lead to confusion as to what order they
> apply in.

The kernel does not reject rules with the same number.  In fact, given
a rule without a number, it may even generate a duplicate itself (if
your last rule is >=65435, the kernel will assign that same number to
rules added without a specified index).

> >> Add "log" to all rules and see which number lets you though.
> >
> >Ahh, I didn't realize you could 'log' accept rules.  I'll do that.
> 
> Not only that, but all rules have counters ipfw can show you, so you
> can even see activation of rules that didn't log.

You can get even more information by using the -t option (ipfw -at l)
to see a timestamp of when the rule matched.

Alex