kern/120290: ipfw jump rules

Andrey V. Elsukov bu7cher at
Wed Feb 6 05:50:02 UTC 2008

The following reply was made to PR kern/120290; it has been noted by GNATS.

From: "Andrey V. Elsukov" <bu7cher at>
To: FreeBSD-gnats-submit at
Cc: Nistor Marius <mariusmayl at>
Subject: Re: kern/120290: ipfw jump rules
Date: Wed, 06 Feb 2008 08:45:14 +0300

 Nistor Marius wrote:
 > no i open ports ... just inc ase if the user need that ports open to 
 > don't open a support ticket for that
 > the problem is ... i use this way from last few years ago on FreeBSD 4.X 
 > and 5.X and was working fine
 > on freebsd 6.X no
 > i think the ipfwadmin miss the number of rules and jump the rules
 Hi, Marius.
 I'm sorry. My English isn't very good. Did you right understand
 what do these rules? I'll try a bit more describe they:
 10164 allow ip from to any uid net
 This rule match all TCP or UDP packets from to any, which
 will be sent or received by processes witch works as user "net"
 on your machine. E.g. you can run a web-server as user "net" and some
 packets will be matched by this rule (if they will be from to any).
 10165 allow ip from any to
 This rule match all IP packets from any addresses to
 10166 allow tcp from 10000-65535,21,22,25,80,110,113,443 
 to any
 This rule will be match packets for source address and 
 source ports 10000-65535,21,22,25,80,110,113,443 destined to any
 addresses and ports. It will not match packets if they already
 matched by rule 10164, because "allow" action terminates search.
 10167 deny ip from to any
 This rule will deny packets that didn't match rules 10164 and 10166.
 Did you want the same?
 WBR, Andrey V. Elsukov

More information about the freebsd-bugs mailing list