some ipfw filter does not function under Release 6.3
Ian Smith
smithi at nimnet.asn.au
Sun Nov 16 19:06:33 PST 2008
On Sun, 16 Nov 2008, Jin Guojun[VFF] wrote:
> Ian Smith wrote:
>
> > On Sat, 15 Nov 2008, Jin Guojun[VFF] wrote:
> >
> > > I think this is a bug in ipfw because after change the rule order, the
> > > problem persists:
> > > 00566 26 3090 deny ip from 221.192.199.36 to any
> > > 65330 2018 983473 allow tcp from any to any established
> > > 65535 0 0 deny ip from any to any
> >
> > Are you saying that the packets shown below from 221.192.199.36 arrived
> > =after= you added rule 566, which denys all traffic from that address?
> >
> > Are you showing us your entire ruleset; it is just those three rules?
> >
> > Is the tcpdump shown running on the same box as ipfw, or another box?
> > If another box, how is it connected through the firewall, to the net?
> >
> > Which machine performs NAT for your network? None of this is obvious.
> >
> > Please show output of 'ifconfig' and 'netstat -rn' on the ipfw box?
> I have found the problem due to the NIC naming change after motherboard
> upgrading.
> The em0 was LAN port, but now it is WAN port. So, the following rule caused
> Sync coming in:
>
> 00123 12 528 allow tcp from any to 192.168.0.0/16 via em0 setup
Ahah!
> This is my configuration fault, and we can close PR kern/128902.
>
> Thanks,
> -Jin
Glad you found it so soon, Jin; that was one very short-lived PR :)
cheers, Ian
More information about the freebsd-ipfw
mailing list