From owner-freebsd-net  Thu Feb 13  2:59:27 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 35F6B37B401
	for <freebsd-net@freebsd.org>; Thu, 13 Feb 2003 02:59:26 -0800 (PST)
Received: from relay1.ntu-kpi.kiev.ua (www.ntu-kpi.kiev.ua [212.111.192.161])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3C88643FBD
	for <freebsd-net@freebsd.org>; Thu, 13 Feb 2003 02:59:18 -0800 (PST)
	(envelope-from simon@comsys.ntu-kpi.kiev.ua)
Received: by relay1.ntu-kpi.kiev.ua (Postfix, from userid 426)
	id 80EEE19BF2; Thu, 13 Feb 2003 12:58:39 +0200 (EET)
Received: from comsys.ntu-kpi.kiev.ua (eth0.comsys.ntu-kpi.kiev.ua [10.0.1.184])
	by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP
	id 77AB91990C; Thu, 13 Feb 2003 12:58:13 +0200 (EET)
Received: from pm514-9.comsys.ntu-kpi.kiev.ua (pm514-9.comsys.ntu-kpi.kiev.ua [10.18.54.109])
	by comsys.ntu-kpi.kiev.ua (8.11.6/8.11.6) with ESMTP id h1DB2cV00286;
	Thu, 13 Feb 2003 13:02:38 +0200 (EET)
Received: from pm514-9.comsys.ntu-kpi.kiev.ua (localhost [127.0.0.1])
	by pm514-9.comsys.ntu-kpi.kiev.ua (8.12.6/8.12.6) with ESMTP id h1DAvgGW000509;
	Thu, 13 Feb 2003 12:57:42 +0200 (EET)
	(envelope-from simon@pm514-9.comsys.ntu-kpi.kiev.ua)
Received: (from simon@localhost)
	by pm514-9.comsys.ntu-kpi.kiev.ua (8.12.6/8.12.6/Submit) id h1DAvfUE000508;
	Thu, 13 Feb 2003 12:57:41 +0200 (EET)
Date: Thu, 13 Feb 2003 12:57:41 +0200 (EET)
Message-Id: <200302131057.h1DAvfUE000508@pm514-9.comsys.ntu-kpi.kiev.ua>
From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
To: Andrea Venturoli <ml.ventu@flashnet.it>
Cc: freebsd-net@freebsd.org
Subject: Re: ipfw: count=pass?
In-Reply-To: <200302131025.h1DAPCwA001464@soth.ventu.lucky.freebsd.net>
X-Newsgroups: lucky.freebsd.net
User-Agent: tin/1.5.12-20020427 ("Sugar") (UNIX) (FreeBSD/4.7-STABLE (i386))
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Thu, 13 Feb 2003 10:25:17 +0000 (UTC) in lucky.freebsd.net, Andrea Venturoli wrote:

> 
>> You should find "allow" rule before "deny" rule which allows some traffic.
> 
> I'm really sure there wasn't any. I don't have the system here available now, but I'm sure rules 1001-1255 were counting
> traffic (and worked, as seen with ipfw -a l) and next was 2000 which should have denied, but it's counters were 0.
> 

Hard to say something without seeing the configuration file you use.
And even if you post your ipfw configuration file, then it will be also
hard to analyze it, because it has many rules.

Nevertheless, double check your configuration and add logging for Firewall
and check which rule allows traffic, logging should help to solve
a problem.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message