Is there anything weird I should know about using ipfw on alias addresses?

[Brett Davidson]

Relevant ifconfig entry shows the alias addresses correctly bound.

bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
      options=3b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
      inet 210.5.50.5 netmask 0xffffffe0 broadcast 210.5.50.31
      inet 210.5.51.32 netmask 0xffffffff broadcast 210.5.51.32
      inet 210.5.51.27 netmask 0xffffffff broadcast 210.5.51.27
      inet 210.5.51.33 netmask 0xffffffff broadcast 210.5.51.33
      inet 210.5.51.34 netmask 0xffffffff broadcast 210.5.51.34
      inet 210.5.51.42 netmask 0xffffffff broadcast 210.5.51.42
      inet 210.5.51.4 netmask 0xffffffff broadcast 210.5.51.4
      ether 00:1c:c4:c0:56:94
      media: Ethernet autoselect (1000baseSX <full-duplex>)
      status: active

Relevant /etc/rc.conf entries :
	ifconfig_bce1="inet 210.5.50.5  netmask 255.255.255.224"
	ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224"
	ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255"
	ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255"
	ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255"
	ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255"
	ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255"
	ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255"

Creating an ipfw rule and testing it from the command line works 
(connects out from master address, not alias)
ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup keep-state

>From website on alias address, the firewall blocks the packets.

Interesting entries in /var/log/security :

Dec  1 16:42:25 <servername> kernel: ipfw: 9999 Deny TCP 210.5.50.5:49708 208.69.123.164:80 out via bce1

In a normal world the packet would match!!!!!
 
What's goin' on here Willis?

>From what I can see, this MUST have something to do with the way ipfw is working with aliased addresses but I'm blowed if I know what is wrong.

Cheers,
Brett.