Date: Tue, 04 Sep 2007 01:24:38 +0700 From: "Vadim Goncharov" <vadimnuclight@tpu.ru> To: "Russell Fulton" <r.fulton@auckland.ac.nz>, freebsd-ipfw@freebsd.org Subject: Re: Problems with pipes... Message-ID: <optx3b3cdh4fjv08@nuclight.avtf.net> In-Reply-To: <46DB8E20.8070404@auckland.ac.nz> References: <46DB8E20.8070404@auckland.ac.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
03.09.07 @ 11:31 Russell Fulton wrote: > here is a ipfw -d show during a file transfer > > [root@wgate-1 /root]# ipfw -d show > 00010 0 0 check-state > 00011 0 0 allow tcp from 130.216.89.0/24,130.216.90.0/23 to > 130.216.11.210 dst-port 25,587,465 xmit fxp1 setup keep-state > 00015 0 0 deny log udp from any to any dst-port > 7,67,68,69,111,134-140,199,445,512,513,520,1993,2049,1900,5000 via fxp1 > 00016 0 0 deny log tcp from any to any dst-port > 7,11,15,25,67,68,87,111,134-140,144,199,445,511-514,1025,1993,1900,2049,2766,5000,5999-6020 > via fxp1 > 00020 115 6440 allow ip from 130.216.89.6/31 to 224.0.0.18 via > vlan89 > 00021 114 6384 allow ip from 130.216.90.6/31 to 224.0.0.18 via > vlan90 > 00022 114 6384 allow ip from 130.216.94.6/31 to 224.0.0.18 via > vlan94 > 00023 115 6440 allow ip from 130.216.95.6/31 to 224.0.0.18 via > vlan95 > 00024 0 0 allow ip from 130.216.1.11 to 224.0.0.18 via fxp1 > 00024 115 6440 allow ip from 130.216.1.12 to 224.0.0.18 via fxp1 > 00030 0 0 allow ip from 130.216.4.173 to 224.0.0.18 via fxp1 > 00031 0 0 allow ip from 130.216.4.174 to 224.0.0.18 via fxp1 > 00040 358 36699 allow tcp from 130.216.4.0/23,130.216.76.0/23 to any > in recv fxp1 setup keep-state > 01102 0 0 allow ip from any to any via lo0 setup keep-state > 01139 1 48 allow ip from 130.216.155.0/24 to any in recv vlan155 > 01145 11271 9865040 allow tcp from > 130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24 > to any out via fxp1 setup keep-state > 01147 0 0 allow ip from > 130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24 > to any out xmit fxp1 keep-state > 02420 0 0 pipe 15 ip from 130.216.155.0/24 to any > 06000 201 25058 deny log ip from any to any > 65535 160 74420 deny ip from any to any > ## Dynamic rules (2): > 01145 11270 9864992 (300s) STATE tcp 130.216.155.13 1525 <-> 161.53.24.9 > 80 > 00040 357 36635 (300s) STATE tcp 130.216.4.12 60906 <-> 130.216.1.11 > 22 > > Note that nothing is going through pipe 15 even thought it would appear > to match dynamic rule 01145. > > What have I screwed up? You forgot that *first* matching rule is applied to packet, and then packet don't go to next rules (except "count" action and some other cases). So your packets are matched by 01145 and are allowed to go through your machine, not reaching rule 02420, which is next in the list. -- WBR, Vadim Goncharov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?optx3b3cdh4fjv08>