Auto-numbered rules with state or table opcodes are printed-out as ""number 00000" on addition
Lev Serebryakov
lev at FreeBSD.org
Sun Aug 14 17:44:17 UTC 2016
Hello Lev,
Sunday, August 14, 2016, 8:27:02 PM, you wrote:
When auto-numbering is used, all rules with any keep-state/check-state or
table opcodes is printed out as number 00000 on addition, like this:
add 11000 allow dst-ip MCAST // Allow incoming multicast
add deny not dst-ip SKYNET_IP // Before NAT it should be to this specific me!
add deny src-ip table(intip4) // And it should be not from strange addresses
add deny src-ip table(bans) // And it should not be banned
add allow src-ip HE_IPV4_TUN proto ipv6 // IPv6 tunneling through this interface
add nat SKYNET_NAT // De-NAT
add check-state // Make things faster
add skipto 30000 // Allowed local services - common block
add deny // Safeguard
11000 allow ip from any to any dst-ip 224.0.0.0/4 // Allow incoming multicast
11010 deny ip from any to any not dst-ip 94.19.235.70 // Before NAT it should be to this specific me!
00000 deny ip from any to any src-ip table(intip4) // And it should be not from strange addresses
00000 deny ip from any to any src-ip table(bans) // And it should not be banned
11040 allow ip from any to any src-ip 216.66.80.26 proto ipv6 // IPv6 tunneling through this interface
11050 nat 1 ip from any to any // De-NAT
Line 133: Ambiguous state name '//', 'default' used instead.
: No error: 0
00000 check-state default
11070 skipto 30000 ip from any to any // Allowed local services - common block
11080 deny ip from any to any // Safeguard
They, really, got proper numbers, but "ipfw" output looks strange.
--
Best regards,
Lev mailto:lev at FreeBSD.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 960 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20160814/2f3a4d8d/attachment.sig>
More information about the freebsd-ipfw
mailing list