IPFW: Blocking me out. How to debug?

[W. D.]

How do I tell which rule is blocking me out?  SSH *is* working,
but others are not.

        ###############################################################
        # ipfw.rules
        # ipfw firewall ruleset
        # Location: /etc/ipfw.rules
        #  2007 Dec 16 21:41
        
        # By default, everything is denied access.  You
        # need to specifically allow something for it
        # to work.
        
        # Loopback:
        # Allow anything on the local loopback:
        add allow all from any to any via lo0
        add deny ip from any to 127.0.0.0/8
        add deny ip from 127.0.0.0/8 to any
        
        # Allow established connections:
        add allow tcp from any to any established
        
        # Deny fragmented packets:
        add deny ip from any to any frag
        
        # Show pings:
        add count icmp from any to any icmptypes 8 in
        
        # Allow pings, ping replies, and host unreach:
        add allow icmp from any to any icmptypes 0,8,3
        
        # Allow UDP traceroutes:
        add allow udp from any to any 33434-34458 in
        add allow udp from any 33434-34458 to any out
        
        # Allow DNS with name server
        add allow udp from any to any domain out
        add allow udp from any domain to any in
        
        # SSH
        #  Note that /etc/hosts.allow has restrictions
        #  on which IP addresses are allowed.
        #
        # Allow SSH:
        add allow tcp from any to any ssh in setup
        
        # HTTP & HTTPS:
        add allow tcp from any to any https in setup
        add allow tcp from any to any http in setup
        
        # Mail: SMTP & IMAP:
        add allow tcp from any to any smtp in setup
        add allow tcp from any to any imap in setup
        
        # FTP:
        add allow tcp from any to any ftp in setup
        add allow tcp from any to any ftp\-data in setup
        add allow tcp from any ftp\-data to any setup out
        
        # Allow NTP in and out
        add allow udp from any ntp to 128.252.19.1 ntp out
        add allow udp from 128.252.19.1 ntp to any ntp in
        
        # Deny and log everything else:
        add deny log all from any to any
        ###############################################################

I tested the syntax using:

  ipfw -n /etc/ipfw.rules

I've got logging working:

  /etc/rc.conf:

    Make certain you have an entry similar to:

        # Log exceptions:
        firewall_logging="YES"

  /etc/syslog.conf:

    # Log ipfw events to their own log file:
    !ipfw
    *.*                                             /var/log/ipfw/ipfw.log


In the kernel config file, is a limit of 10 too small?

  options  IPFIREWALL              #      Required for IPFW
  options  IPFIREWALL_VERBOSE      #      Optional - logging
  options  IPFIREWALL_VERBOSE_LIMIT=10  #      Optional - don't get too many log entries
  options  IPDIVERT                #      Needed for natd


Any help on this would be greatly appreciated.

Start Here to Find It Fast!™ -> http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/