From owner-freebsd-ipfw@FreeBSD.ORG  Mon Sep  3 18:24:43 2007
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6652816A418
	for <freebsd-ipfw@freebsd.org>; Mon,  3 Sep 2007 18:24:43 +0000 (UTC)
	(envelope-from vadimnuclight@tpu.ru)
Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102])
	by mx1.freebsd.org (Postfix) with ESMTP id BB82313C461
	for <freebsd-ipfw@freebsd.org>; Mon,  3 Sep 2007 18:24:42 +0000 (UTC)
	(envelope-from vadimnuclight@tpu.ru)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by relay1.tpu.ru (Postfix) with ESMTP id 53EA810527F;
	Tue,  4 Sep 2007 01:24:41 +0700 (NOVST)
X-Virus-Scanned: amavisd-new at tpu.ru
Received: from relay1.tpu.ru ([127.0.0.1])
	by localhost (relay1.tpu.ru [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id zmbOgI6yxBIb; Tue,  4 Sep 2007 01:24:39 +0700 (NOVST)
Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3])
	by relay1.tpu.ru (Postfix) with ESMTP id EB1D51051AA;
	Tue,  4 Sep 2007 01:24:39 +0700 (NOVST)
Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with
	Microsoft SMTPSVC(6.0.3790.3959); Tue, 4 Sep 2007 01:24:40 +0700
Received: from nuclight.avtf.net ([83.172.2.158]) by mail.tpu.ru over TLS
	secured channel with Microsoft SMTPSVC(6.0.3790.3959); 
	Tue, 4 Sep 2007 01:24:39 +0700
Date: Tue, 04 Sep 2007 01:24:38 +0700
To: "Russell Fulton" <r.fulton@auckland.ac.nz>,
	freebsd-ipfw@freebsd.org
References: <46DB8E20.8070404@auckland.ac.nz>
From: "Vadim Goncharov" <vadimnuclight@tpu.ru>
Organization: AVTF TPU Hostel
Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <optx3b3cdh4fjv08@nuclight.avtf.net>
In-Reply-To: <46DB8E20.8070404@auckland.ac.nz>
User-Agent: Opera M2/7.54 (Win32, build 3865)
X-OriginalArrivalTime: 03 Sep 2007 18:24:39.0805 (UTC)
	FILETIME=[B0BC62D0:01C7EE57]
Cc: 
Subject: Re: Problems with pipes...
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Sep 2007 18:24:43 -0000

03.09.07 @ 11:31 Russell Fulton wrote:

> here is a ipfw -d show during a file transfer
>
> [root@wgate-1 /root]# ipfw -d show
> 00010     0       0 check-state
> 00011     0       0 allow tcp from 130.216.89.0/24,130.216.90.0/23 to  
> 130.216.11.210 dst-port 25,587,465 xmit fxp1 setup keep-state
> 00015     0       0 deny log udp from any to any dst-port  
> 7,67,68,69,111,134-140,199,445,512,513,520,1993,2049,1900,5000 via fxp1 
> 00016     0       0 deny log tcp from any to any dst-port  
> 7,11,15,25,67,68,87,111,134-140,144,199,445,511-514,1025,1993,1900,2049,2766,5000,5999-6020  
> via fxp1
> 00020   115    6440 allow ip from 130.216.89.6/31 to 224.0.0.18 via  
> vlan89
> 00021   114    6384 allow ip from 130.216.90.6/31 to 224.0.0.18 via  
> vlan90
> 00022   114    6384 allow ip from 130.216.94.6/31 to 224.0.0.18 via  
> vlan94
> 00023   115    6440 allow ip from 130.216.95.6/31 to 224.0.0.18 via  
> vlan95
> 00024     0       0 allow ip from 130.216.1.11 to 224.0.0.18 via fxp1
> 00024   115    6440 allow ip from 130.216.1.12 to 224.0.0.18 via fxp1
> 00030     0       0 allow ip from 130.216.4.173 to 224.0.0.18 via fxp1
> 00031     0       0 allow ip from 130.216.4.174 to 224.0.0.18 via fxp1
> 00040   358   36699 allow tcp from 130.216.4.0/23,130.216.76.0/23 to any  
> in recv fxp1 setup keep-state
> 01102     0       0 allow ip from any to any via lo0 setup keep-state
> 01139     1      48 allow ip from 130.216.155.0/24 to any in recv vlan155
> 01145 11271 9865040 allow tcp from  
> 130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24  
> to any out via fxp1 setup keep-state
> 01147     0       0 allow ip from  
> 130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24  
> to any out xmit fxp1 keep-state
> 02420     0       0 pipe 15 ip from 130.216.155.0/24 to any
> 06000   201   25058 deny log ip from any to any
> 65535   160   74420 deny ip from any to any
> ## Dynamic rules (2):
> 01145 11270 9864992 (300s) STATE tcp 130.216.155.13 1525 <-> 161.53.24.9  
> 80
> 00040   357   36635 (300s) STATE tcp 130.216.4.12 60906 <-> 130.216.1.11  
> 22
>
> Note that nothing is going through pipe 15 even thought it would appear
> to match dynamic rule 01145.
>
> What have I screwed up?

You forgot that *first* matching rule is applied to packet, and then  
packet don't go to next rules (except "count" action and some other  
cases). So your packets are matched by 01145 and are allowed to go through  
your machine, not reaching rule 02420, which is next in the list.

-- 
WBR, Vadim Goncharov