Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 15 Nov 2008 13:38:02 -0800
From:      "Jin Guojun[VFF]" <jguojun@gmail.com>
To:        questions@freebsd.org,  ipfw@freebsd.org
Subject:   some ipfw filter does not function under Release 6.3
Message-ID:  <491F413A.4020108@gmail.com>
next in thread | raw e-mail | index | archive | help 
Below is set of ipfw rules, but it seems that not all rules are 
functioning properly.
 From rule 361 to first two of rule 567 are not blocking any traffic and 
not measuring any traffic.
Is this bacuse tcp rule )330) can overwrite the ip rule? or this is a 
known issue in R-6.3?

The second and third rules in rule set 567 seem working well.

-Jin

---------------- ipfw rule sets ---------
00330 3108378 2700826874 allow tcp from any to any established
00361       0          0 deny ip from 203.83.248.93 to any
00361       0          0 deny ip from 72.30.142.215 to any
00567       0          0 deny ip from 193.200.241.171 to any
00567       0          0 deny ip from 221.192.199.36 to any
00567       3        180 deny ip from 118.153.18.186 to any
00567       3        180 deny ip from 203.78.214.180 to any
00567       0          0 deny ip from 118.219.232.123 to any
65500     220      20043 allow udp from any to any
65535       2        120 deny ip from any to any

------ traffic captured by tcpdump behind ipfw machine -----

04:12:20.940095 IP 221.192.199.36.12200 > 192.168.2.14.80: S 
200229998:200229998(0) win 8192
04:12:21.204430 IP 221.192.199.36.12200 > 192.168.2.14.80: R 
200229999:200229999(0) win 0
04:31:16.262402 IP 221.192.199.36.12200 > 192.168.2.14.80: S 
200233658:200233658(0) win 8192
04:31:16.541868 IP 221.192.199.36.12200 > 192.168.2.14.80: R 
200233659:200233659(0) win 0
05:27:04.031434 IP 221.192.199.36.12200 > 192.168.2.14.80: S 
200244634:200244634(0) win 8192
05:27:04.303262 IP 221.192.199.36.12200 > 192.168.2.14.80: R 
200244635:200244635(0) win 0
05:28:18.099443 IP 221.192.199.36.3362 > 192.168.2.14.80: S 
2422872529:2422872529(0) win 65535 <mss 1452,nop,nop,sackOK>
05:28:18.352083 IP 221.192.199.36.3362 > 192.168.2.14.80: . ack 
3968474717 win 65535
05:28:18.367745 IP 221.192.199.36.3362 > 192.168.2.14.80: P 0:205(205) 
ack 1 win 65535
05:28:18.621538 IP 221.192.199.36.3362 > 192.168.2.14.80: R 205:205(0) 
ack 473 win 0

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491F413A.4020108>