Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 1 Oct 2008 17:56:49 +0800
From:      Andrey Zaytcev <crazy@anvic-center.nkz.ru>
To:        freebsd-questions@freebsd.org
Subject:   "ipfw count" unexpected results
Message-ID:  <974790532.20081001175649@mail.ru>
next in thread | raw e-mail | index | archive | help 
Please take a look at this "ipfw show" result:

00050  4439  1302601 tee 20001 ip from any to any via tun0
00100  2695   805238 count ip from any to any via tun0 in
00101  1713   489367 count ip from any to any via tun0 out
00103     0        0 deny ip from 127.0.0.0/8 to any
00105     0        0 deny ip from 192.168.1.0/24,192.168.0.0/24 to any via =
tun0 in
00106     0        0 deny ip from 192.168.1.0/24,192.168.0.0/24 to any via =
tun2 in
00107     0        0 deny ip from 192.168.1.0/24,192.168.0.0/24 to any via =
tun1 in
00108  2714   812754 count ip from any to any via tun0 in
00109  1725   489847 count ip from any to any via tun0 out
00116     0        0 allow tcp from any to xx.xx.xx.xx dst-port yy.yy.yy.yy
00117     0        0 fwd xx.xx.xx.xx tcp from yy.yy.yy.yy zz.zz.zz.zz to any
00118     0        0 fwd xx.xx.xx.xx1 tcp from yy.yy.yy.yy1 zz.zz.zz.zz1 to=
 any
00118     0        0 fwd xx.xx.xx.xx2 tcp from yy.yy.yy.yy2 zz.zz.zz.zz2 to=
 any
00119     0        0 fwd xx.xx.xx.xx3 tcp from yy.yy.yy.yy3 to any dst-port=
 zz.zz.zz.zz3
00120     0        0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y=
y.yy.yy.yy dst-port zz.zz.zz.zz via tun2
00121     0        0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y=
y.yy.yy.yy1 dst-port zz.zz.zz.zz1 via tun0
00122     0        0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y=
y.yy.yy.yy1 dst-port zz.zz.zz.zz2 via tun0
00123     0        0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y=
y.yy.yy.yy2 dst-port zz.zz.zz.zz3 via tun0,tun2,tun1
00124     0        0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y=
y.yy.yy.yy2 dst-port zz.zz.zz.zz1 via tun1
00125     0        0 deny log logamount 65534 tcp from not xx.xx.xx.xx to y=
y.yy.yy.yy3 dst-port zz.zz.zz.zz1 via tun1
00130     0        0 allow tcp from xx.xx.xx.xx to yy.yy.yy.yy dst-port zz.=
zz.zz.zz5 keep-state
00140  2360   777364 count ip from any to any via tun0 in
00141  1416   113119 count ip from any to any via tun0 out

The question is: why rules 100 and 101 are not equal to 108 and 109 and rul=
es 140 and 141 ? It seems only rules 108 and 109 shows correct information,=
 because 108+109 =3D 50.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?974790532.20081001175649>