From owner-freebsd-questions@FreeBSD.ORG Wed Oct 1 10:18:40 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89409106569B for ; Wed, 1 Oct 2008 10:18:40 +0000 (UTC) (envelope-from crazy@anvic-center.nkz.ru) Received: from anvic-center.nkz.ru (anvic-center.nkz.ru [81.1.220.165]) by mx1.freebsd.org (Postfix) with ESMTP id 2C32F8FC0C for ; Wed, 1 Oct 2008 10:18:40 +0000 (UTC) (envelope-from crazy@anvic-center.nkz.ru) Received: by anvic-center.nkz.ru (Postfix, from userid 1003) id 1DF9A102CCA; Wed, 1 Oct 2008 17:56:52 +0800 (KRAST) X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on inet.anvic.local X-Spam-Level: X-Spam-Status: No, score=-104.3 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00, USER_IN_WHITELIST autolearn=ham version=3.1.8 Received: from support-2.anvic.local (unknown [192.168.1.207]) by anvic-center.nkz.ru (Postfix) with ESMTP id 82816102CC3 for ; Wed, 1 Oct 2008 17:56:51 +0800 (KRAST) Date: Wed, 1 Oct 2008 17:56:49 +0800 From: Andrey Zaytcev X-Mailer: The Bat! (v4.0.7) Professional Organization: =?windows-1251?B?wO3i6Oo=?= X-Priority: 3 (Normal) Message-ID: <974790532.20081001175649@mail.ru> To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Subject: "ipfw count" unexpected results X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?windows-1251?B?wO3k8OXpIMfg6fbl4g==?= List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2008 10:18:40 -0000 Please take a look at this "ipfw show" result: 00050 4439 1302601 tee 20001 ip from any to any via tun0 00100 2695 805238 count ip from any to any via tun0 in 00101 1713 489367 count ip from any to any via tun0 out 00103 0 0 deny ip from 127.0.0.0/8 to any 00105 0 0 deny ip from 192.168.1.0/24,192.168.0.0/24 to any via = tun0 in 00106 0 0 deny ip from 192.168.1.0/24,192.168.0.0/24 to any via = tun2 in 00107 0 0 deny ip from 192.168.1.0/24,192.168.0.0/24 to any via = tun1 in 00108 2714 812754 count ip from any to any via tun0 in 00109 1725 489847 count ip from any to any via tun0 out 00116 0 0 allow tcp from any to xx.xx.xx.xx dst-port yy.yy.yy.yy 00117 0 0 fwd xx.xx.xx.xx tcp from yy.yy.yy.yy zz.zz.zz.zz to any 00118 0 0 fwd xx.xx.xx.xx1 tcp from yy.yy.yy.yy1 zz.zz.zz.zz1 to= any 00118 0 0 fwd xx.xx.xx.xx2 tcp from yy.yy.yy.yy2 zz.zz.zz.zz2 to= any 00119 0 0 fwd xx.xx.xx.xx3 tcp from yy.yy.yy.yy3 to any dst-port= zz.zz.zz.zz3 00120 0 0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y= y.yy.yy.yy dst-port zz.zz.zz.zz via tun2 00121 0 0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y= y.yy.yy.yy1 dst-port zz.zz.zz.zz1 via tun0 00122 0 0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y= y.yy.yy.yy1 dst-port zz.zz.zz.zz2 via tun0 00123 0 0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y= y.yy.yy.yy2 dst-port zz.zz.zz.zz3 via tun0,tun2,tun1 00124 0 0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y= y.yy.yy.yy2 dst-port zz.zz.zz.zz1 via tun1 00125 0 0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y= y.yy.yy.yy3 dst-port zz.zz.zz.zz1 via tun1 00130 0 0 allow tcp from xx.xx.xx.xx to yy.yy.yy.yy dst-port zz.= zz.zz.zz5 keep-state 00140 2360 777364 count ip from any to any via tun0 in 00141 1416 113119 count ip from any to any via tun0 out The question is: why rules 100 and 101 are not equal to 108 and 109 and rul= es 140 and 141 ? It seems only rules 108 and 109 shows correct information,= because 108+109 =3D 50.