Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Jul 2002 10:42:56 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        "Jo B. Grasmo" <needle+ipfw@verloid.net>
Cc:        ipfw@FreeBSD.ORG
Subject:   Re: IPFW2
Message-ID:  <20020725104256.B806@iguana.icir.org>
In-Reply-To: <20020725125346.A8987@dustpuppy.world-online.no>; from needle%2Bipfw@verloid.net on Thu, Jul 25, 2002 at 12:53:46PM %2B0200
References:  <20020725125346.A8987@dustpuppy.world-online.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Jul 25, 2002 at 12:53:46PM +0200, Jo B. Grasmo wrote:
...
> 01000          0          0                      check-state
> 01010          8        848 Thu Jul 25 12:43:43 2002 deny tcp from any to any established
> 01020       5862     587140 Thu Jul 25 12:43:58 2002 allow tcp from any to any setup keep-state
> 65535      17407    2155622 Thu Jul 25 12:43:07 2002 deny ip from any to any
> 
> IPFW1 used to list connections matching dynamic rules explicitly. Has
> that functionality been removed or just hasn't it been implemented
> yet?

you need to do

	ipfw -d list

(the -d flag has been in for some time now).

> On a side-note, I've never seen "check-state" counters increment.
> Shouldn't they? The rule obviously works, because if I remove it all

they always increment the parent of the dynamic rule.

> connections die.
> 
> IPFW1 also rewrote rules like this:
> ipfw add 2000 allow tcp from any to 10.1.1.1 22 in via xl0 setup keep-state
> into this:
> 02000 allow tcp from any to 10.1.1.1 22 keep-state in recv xl0 setup
> 
> IPFW2 doesn't, which broke my scripts.

because "via" is different from "recv" :) though i agree that
"in via" can never match an output interface because there isn't one.

	cheers
	luigi

> One final question, when can we see IPFW2 as a kernel module? :-)
> 
> 
> Regards,
> 
> Jo B. Grasmo
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020725104256.B806>