Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2008 23:35:56 +0100
From:      Erik Trulsson <ertr1013@student.uu.se>
To:        "Jin Guojun\[VFF\]" <jguojun@gmail.com>
Cc:        questions@freebsd.org, ipfw@freebsd.org
Subject:   Re: some ipfw filter does not function under Release 6.3
Message-ID:  <20081115223556.GA45503@owl.midgard.homeip.net>
In-Reply-To: <491F413A.4020108@gmail.com>
References:  <491F413A.4020108@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 15, 2008 at 01:38:02PM -0800, Jin Guojun[VFF] wrote:
> Below is set of ipfw rules, but it seems that not all rules are 
> functioning properly.
>  From rule 361 to first two of rule 567 are not blocking any traffic and 
> not measuring any traffic.
> Is this bacuse tcp rule )330) can overwrite the ip rule? or this is a 
> known issue in R-6.3?

In general the first matching rule is the one that is applied.
In your case this means that if a packet matches  your rule 330 then 
it will be allowed through, and the rules further down the list will
not be considered.


> 
> The second and third rules in rule set 567 seem working well.
> 
> -Jin
> 
> ---------------- ipfw rule sets ---------
> 00330 3108378 2700826874 allow tcp from any to any established
> 00361       0          0 deny ip from 203.83.248.93 to any
> 00361       0          0 deny ip from 72.30.142.215 to any
> 00567       0          0 deny ip from 193.200.241.171 to any
> 00567       0          0 deny ip from 221.192.199.36 to any
> 00567       3        180 deny ip from 118.153.18.186 to any
> 00567       3        180 deny ip from 203.78.214.180 to any
> 00567       0          0 deny ip from 118.219.232.123 to any
> 65500     220      20043 allow udp from any to any
> 65535       2        120 deny ip from any to any
> 
> ------ traffic captured by tcpdump behind ipfw machine -----
> 
> 04:12:20.940095 IP 221.192.199.36.12200 > 192.168.2.14.80: S 
> 200229998:200229998(0) win 8192
> 04:12:21.204430 IP 221.192.199.36.12200 > 192.168.2.14.80: R 
> 200229999:200229999(0) win 0
> 04:31:16.262402 IP 221.192.199.36.12200 > 192.168.2.14.80: S 
> 200233658:200233658(0) win 8192
> 04:31:16.541868 IP 221.192.199.36.12200 > 192.168.2.14.80: R 
> 200233659:200233659(0) win 0
> 05:27:04.031434 IP 221.192.199.36.12200 > 192.168.2.14.80: S 
> 200244634:200244634(0) win 8192
> 05:27:04.303262 IP 221.192.199.36.12200 > 192.168.2.14.80: R 
> 200244635:200244635(0) win 0
> 05:28:18.099443 IP 221.192.199.36.3362 > 192.168.2.14.80: S 
> 2422872529:2422872529(0) win 65535 <mss 1452,nop,nop,sackOK>
> 05:28:18.352083 IP 221.192.199.36.3362 > 192.168.2.14.80: . ack 
> 3968474717 win 65535
> 05:28:18.367745 IP 221.192.199.36.3362 > 192.168.2.14.80: P 0:205(205) 
> ack 1 win 65535
> 05:28:18.621538 IP 221.192.199.36.3362 > 192.168.2.14.80: R 205:205(0) 
> ack 473 win 0
> 


-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013@student.uu.se



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081115223556.GA45503>