some ipfw filter does not function under Release 6.3
Erik Trulsson
ertr1013 at student.uu.se
Sat Nov 15 14:51:09 PST 2008
On Sat, Nov 15, 2008 at 01:38:02PM -0800, Jin Guojun[VFF] wrote:
> Below is set of ipfw rules, but it seems that not all rules are
> functioning properly.
> From rule 361 to first two of rule 567 are not blocking any traffic and
> not measuring any traffic.
> Is this bacuse tcp rule )330) can overwrite the ip rule? or this is a
> known issue in R-6.3?
In general the first matching rule is the one that is applied.
In your case this means that if a packet matches your rule 330 then
it will be allowed through, and the rules further down the list will
not be considered.
>
> The second and third rules in rule set 567 seem working well.
>
> -Jin
>
> ---------------- ipfw rule sets ---------
> 00330 3108378 2700826874 allow tcp from any to any established
> 00361 0 0 deny ip from 203.83.248.93 to any
> 00361 0 0 deny ip from 72.30.142.215 to any
> 00567 0 0 deny ip from 193.200.241.171 to any
> 00567 0 0 deny ip from 221.192.199.36 to any
> 00567 3 180 deny ip from 118.153.18.186 to any
> 00567 3 180 deny ip from 203.78.214.180 to any
> 00567 0 0 deny ip from 118.219.232.123 to any
> 65500 220 20043 allow udp from any to any
> 65535 2 120 deny ip from any to any
>
> ------ traffic captured by tcpdump behind ipfw machine -----
>
> 04:12:20.940095 IP 221.192.199.36.12200 > 192.168.2.14.80: S
> 200229998:200229998(0) win 8192
> 04:12:21.204430 IP 221.192.199.36.12200 > 192.168.2.14.80: R
> 200229999:200229999(0) win 0
> 04:31:16.262402 IP 221.192.199.36.12200 > 192.168.2.14.80: S
> 200233658:200233658(0) win 8192
> 04:31:16.541868 IP 221.192.199.36.12200 > 192.168.2.14.80: R
> 200233659:200233659(0) win 0
> 05:27:04.031434 IP 221.192.199.36.12200 > 192.168.2.14.80: S
> 200244634:200244634(0) win 8192
> 05:27:04.303262 IP 221.192.199.36.12200 > 192.168.2.14.80: R
> 200244635:200244635(0) win 0
> 05:28:18.099443 IP 221.192.199.36.3362 > 192.168.2.14.80: S
> 2422872529:2422872529(0) win 65535 <mss 1452,nop,nop,sackOK>
> 05:28:18.352083 IP 221.192.199.36.3362 > 192.168.2.14.80: . ack
> 3968474717 win 65535
> 05:28:18.367745 IP 221.192.199.36.3362 > 192.168.2.14.80: P 0:205(205)
> ack 1 win 65535
> 05:28:18.621538 IP 221.192.199.36.3362 > 192.168.2.14.80: R 205:205(0)
> ack 473 win 0
>
--
<Insert your favourite quote here.>
Erik Trulsson
ertr1013 at student.uu.se
More information about the freebsd-questions
mailing list