Date: Wed, 4 Aug 1999 12:52:19 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: Eugeny Kuzakov <kev@lab321.ru> Cc: questions@FreeBSD.ORG Subject: Re: ipfw&rules&count question Message-ID: <19990804125219.A75932@relay.ucb.crimea.ua> In-Reply-To: <Pine.BSF.4.10.9908041308560.25366-100000@lab321.ru>; from Eugeny Kuzakov on Wed, Aug 04, 1999 at 01:12:33PM %2B0700 References: <Pine.BSF.4.10.9908041308560.25366-100000@lab321.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 04, 1999 at 01:12:33PM +0700, Eugeny Kuzakov wrote:
>
> hi*&
>
> There is count rule:
>
> 10000 count ip from any to any in recv ppp0
>
> ipfw -a list:
> 10000 3322918 1221991973 count ip from any to any in recv ppp0
>
> Everything Ok.
>
> But if I insert firewall rule "1 pass ip from any to any", then count rule
> never will count.
> Why?
>
Because ipfw(8) manpage stays:
allow Allow packets that match rule. The search terminates.
^^^^^^^^^^^^^^^^^^^^^
Aliases are pass, permit, and accept.
count Update counters for all packets that match rule.
The search continues with the next rule.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To make it work the way you want, put ``count'' rule before ``pass'' rule:
00001 count ip from any to any in recv ppp0
10000 pass ip from any to any
Cheers,
--
Ruslan Ermilov Sysadmin and DBA of the
ru@ucb.crimea.ua United Commercial Bank,
ru@FreeBSD.org FreeBSD committer,
+380.652.247.647 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990804125219.A75932>