From owner-freebsd-net  Thu Feb 13  2:24:58 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9A74437B401
	for <freebsd-net@FreeBSD.ORG>; Thu, 13 Feb 2003 02:24:57 -0800 (PST)
Received: from smtp0.libero.it (smtp0.libero.it [193.70.192.33])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0148B43F85
	for <freebsd-net@FreeBSD.ORG>; Thu, 13 Feb 2003 02:24:48 -0800 (PST)
	(envelope-from ml.ventu@flashnet.it)
Received: from soth.ventu (151.38.56.129) by smtp0.libero.it (6.7.015)
        id 3E44E953002693C7 for freebsd-net@FreeBSD.ORG; Thu, 13 Feb 2003 11:24:36 +0100
Received: from mailer (xanatar.ventu [10.1.2.6])
	by soth.ventu (8.12.6/8.12.6) with SMTP id h1DAPCwA001464
	for <freebsd-net@FreeBSD.ORG>; Thu, 13 Feb 2003 11:25:12 +0100 (CET)
	(envelope-from ml.ventu@flashnet.it)
Message-Id: <200302131025.h1DAPCwA001464@soth.ventu>
To: freebsd-net@FreeBSD.ORG
X-Mailer: Post Road Mailer for OS/2 (Green Edition Ver 3.0)
Date: Thu, 13 Feb 2003 11:25:12 EST
From: Andrea Venturoli <ml.ventu@flashnet.it>
Reply-To: Andrea Venturoli <ml.ventu@flashnet.it>
Subject: Re: ipfw: count=pass?
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

** Reply to note from Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua> Thu, 13 Feb 2003 11:23:16 +0200 (EET)


> If the counter of some IPFW rule is always 0, then this means that this 
> rule is not reached (you are right here).

So rule 2000 (deny) was not reached.


> After "count" rule the search 
> continues with the next rule (with the same number or with the next number, 
> at least this is true for IPFW1, check it).

This is what I thought, but apparently, either I'm missing something weird or it didn't work like that.



> You should find "allow" rule before "deny" rule which allows some traffic.

I'm really sure there wasn't any. I don't have the system here available now, but I'm sure rules 1001-1255 were counting
traffic (and worked, as seen with ipfw -a l) and next was 2000 which should have denied, but it's counters were 0.

 bye & Thanks
        av.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message