some ipfw filter does not function under Release 6.3

Jin Guojun[VFF] jguojun at
Sun Nov 16 17:45:42 PST 2008

Ian Smith wrote:

>On Sat, 15 Nov 2008, Jin Guojun[VFF] wrote:
> >    I think this is a bug in ipfw because after change the rule order, the
> >    problem persists:
> >    00566    26     3090 deny ip from to any
> >    65330  2018   983473 allow tcp from any to any established
> >    65535     0        0 deny ip from any to any
>Are you saying that the packets shown below from arrived 
>=after= you added rule 566, which denys all traffic from that address?
>Are you showing us your entire ruleset; it is just those three rules?
>Is the tcpdump shown running on the same box as ipfw, or another box?  
>If another box, how is it connected through the firewall, to the net?
>Which machine performs NAT for your network?  None of this is obvious.
>Please show output of 'ifconfig' and 'netstat -rn' on the ipfw box?
I have found the problem due to the NIC naming change after motherboard 
The em0 was LAN port, but now it is WAN port. So, the following rule 
caused Sync coming in:

00123     12      528 allow tcp from any to via em0 setup

This is my configuration fault, and we can close PR kern/128902.


More information about the freebsd-bugs mailing list