From owner-freebsd-security  Thu Jan 30 07:48:50 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id HAA15879
          for security-outgoing; Thu, 30 Jan 1997 07:48:50 -0800 (PST)
Received: from leonie.object-factory.com (ns1.object-factory.com [194.25.136.5])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA15874
          for <freebsd-security@freebsd.org>; Thu, 30 Jan 1997 07:48:46 -0800 (PST)
Received: (from daemon@localhost) by leonie.object-factory.com (8.8.2/8.8.2) id QAA29727 for freebsd-security@freebsd.org; Thu, 30 Jan 1997 16:49:52 +0100 (MET)
Received: (from news@localhost) by leonie.object-factory.com (8.8.2/8.8.2) id QAA29719; Thu, 30 Jan 1997 16:49:51 +0100 (MET)
To: freebsd-security@freebsd.org
From: znek@object-factory.com (Marcus Mueller)
Subject: ipfw trouble under FreeBSD 2.1.5
Date: 30 Jan 1997 15:49:50 GMT
Message-ID: <5cqfuu$sqt@leonie.object-factory.com>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Hi,

it seems that ipfw under FreeBSD 2.1.5 has a bug which leads to deny-rules 
being applied to connections which should have been accepted before.
(That means a 65000 deny blah from blah to blah matches a connection which 
should have been accepted by a 10000 allow blah from blah to blah).
In certain cases - though not deterministically - I have to flush the list 
and then setup all rules again for the firewall to function properly.
In some cases this does not help, however.

Is this problem known and solved under FreeBSD 2.1.6?

Thanks in advance,

  Marcus.