From owner-freebsd-ipfw  Thu Jul 25 10:43: 7 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7068037B400
	for <ipfw@FreeBSD.ORG>; Thu, 25 Jul 2002 10:43:04 -0700 (PDT)
Received: from iguana.icir.org (iguana.icir.org [192.150.187.36])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2D5C143E42
	for <ipfw@FreeBSD.ORG>; Thu, 25 Jul 2002 10:43:04 -0700 (PDT)
	(envelope-from rizzo@iguana.icir.org)
Received: (from rizzo@localhost)
	by iguana.icir.org (8.11.6/8.11.3) id g6PHgut01007;
	Thu, 25 Jul 2002 10:42:56 -0700 (PDT)
	(envelope-from rizzo)
Date: Thu, 25 Jul 2002 10:42:56 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: "Jo B. Grasmo" <needle+ipfw@verloid.net>
Cc: ipfw@FreeBSD.ORG
Subject: Re: IPFW2
Message-ID: <20020725104256.B806@iguana.icir.org>
References: <20020725125346.A8987@dustpuppy.world-online.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020725125346.A8987@dustpuppy.world-online.no>; from needle+ipfw@verloid.net on Thu, Jul 25, 2002 at 12:53:46PM +0200
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

On Thu, Jul 25, 2002 at 12:53:46PM +0200, Jo B. Grasmo wrote:
...
> 01000          0          0                      check-state
> 01010          8        848 Thu Jul 25 12:43:43 2002 deny tcp from any to any established
> 01020       5862     587140 Thu Jul 25 12:43:58 2002 allow tcp from any to any setup keep-state
> 65535      17407    2155622 Thu Jul 25 12:43:07 2002 deny ip from any to any
> 
> IPFW1 used to list connections matching dynamic rules explicitly. Has
> that functionality been removed or just hasn't it been implemented
> yet?

you need to do

	ipfw -d list

(the -d flag has been in for some time now).

> On a side-note, I've never seen "check-state" counters increment.
> Shouldn't they? The rule obviously works, because if I remove it all

they always increment the parent of the dynamic rule.

> connections die.
> 
> IPFW1 also rewrote rules like this:
> ipfw add 2000 allow tcp from any to 10.1.1.1 22 in via xl0 setup keep-state
> into this:
> 02000 allow tcp from any to 10.1.1.1 22 keep-state in recv xl0 setup
> 
> IPFW2 doesn't, which broke my scripts.

because "via" is different from "recv" :) though i agree that
"in via" can never match an output interface because there isn't one.

	cheers
	luigi

> One final question, when can we see IPFW2 as a kernel module? :-)
> 
> 
> Regards,
> 
> Jo B. Grasmo
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message