Date: Sat, 15 Nov 2008 15:00:48 -0800 From: "Jin Guojun[VFF]" <jguojun@gmail.com> To: Erik Trulsson <ertr1013@student.uu.se> Cc: questions@freebsd.org, ipfw@freebsd.org Subject: Re: some ipfw filter does not function under Release 6.3 Message-ID: <491F54A0.9090702@gmail.com> In-Reply-To: <20081115223556.GA45503@owl.midgard.homeip.net> References: <491F413A.4020108@gmail.com> <20081115223556.GA45503@owl.midgard.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help
But the rule 330 should only allow established TCP pass through. In
other words, Sync should NOT
allowed by rule 330, or I missed something for this rule?
Erik Trulsson wrote:
On Sat, Nov 15, 2008 at 01:38:02PM -0800, Jin Guojun[VFF] wrote:
Below is set of ipfw rules, but it seems that not all rules are
functioning properly.
From rule 361 to first two of rule 567 are not blocking any traffic and
not measuring any traffic.
Is this bacuse tcp rule )330) can overwrite the ip rule? or this is a
known issue in R-6.3?
In general the first matching rule is the one that is applied.
In your case this means that if a packet matches your rule 330 then
it will be allowed through, and the rules further down the list will
not be considered.
The second and third rules in rule set 567 seem working well.
-Jin
---------------- ipfw rule sets ---------
00330 3108378 2700826874 allow tcp from any to any established
00361 0 0 deny ip from 203.83.248.93 to any
00361 0 0 deny ip from 72.30.142.215 to any
00567 0 0 deny ip from 193.200.241.171 to any
00567 0 0 deny ip from 221.192.199.36 to any
00567 3 180 deny ip from 118.153.18.186 to any
00567 3 180 deny ip from 203.78.214.180 to any
00567 0 0 deny ip from 118.219.232.123 to any
65500 220 20043 allow udp from any to any
65535 2 120 deny ip from any to any
------ traffic captured by tcpdump behind ipfw machine -----
04:12:20.940095 IP 221.192.199.36.12200 > 192.168.2.14.80: S
200229998:200229998(0) win 8192
04:12:21.204430 IP 221.192.199.36.12200 > 192.168.2.14.80: R
200229999:200229999(0) win 0
04:31:16.262402 IP 221.192.199.36.12200 > 192.168.2.14.80: S
200233658:200233658(0) win 8192
04:31:16.541868 IP 221.192.199.36.12200 > 192.168.2.14.80: R
200233659:200233659(0) win 0
05:27:04.031434 IP 221.192.199.36.12200 > 192.168.2.14.80: S
200244634:200244634(0) win 8192
05:27:04.303262 IP 221.192.199.36.12200 > 192.168.2.14.80: R
200244635:200244635(0) win 0
05:28:18.099443 IP 221.192.199.36.3362 > 192.168.2.14.80: S
2422872529:2422872529(0) win 65535 <mss 1452,nop,nop,sackOK>
05:28:18.352083 IP 221.192.199.36.3362 > 192.168.2.14.80: . ack
3968474717 win 65535
05:28:18.367745 IP 221.192.199.36.3362 > 192.168.2.14.80: P 0:205(205)
ack 1 win 65535
05:28:18.621538 IP 221.192.199.36.3362 > 192.168.2.14.80: R 205:205(0)
ack 473 win 0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491F54A0.9090702>