Problems with pipes...

Vadim Goncharov vadimnuclight at tpu.ru
Mon Sep 3 11:24:43 PDT 2007 

03.09.07 @ 11:31 Russell Fulton wrote:

> here is a ipfw -d show during a file transfer
>
> [root at wgate-1 /root]# ipfw -d show
> 00010     0       0 check-state
> 00011     0       0 allow tcp from 130.216.89.0/24,130.216.90.0/23 to  
> 130.216.11.210 dst-port 25,587,465 xmit fxp1 setup keep-state
> 00015     0       0 deny log udp from any to any dst-port  
> 7,67,68,69,111,134-140,199,445,512,513,520,1993,2049,1900,5000 via fxp1 
> 00016     0       0 deny log tcp from any to any dst-port  
> 7,11,15,25,67,68,87,111,134-140,144,199,445,511-514,1025,1993,1900,2049,2766,5000,5999-6020  
> via fxp1
> 00020   115    6440 allow ip from 130.216.89.6/31 to 224.0.0.18 via  
> vlan89
> 00021   114    6384 allow ip from 130.216.90.6/31 to 224.0.0.18 via  
> vlan90
> 00022   114    6384 allow ip from 130.216.94.6/31 to 224.0.0.18 via  
> vlan94
> 00023   115    6440 allow ip from 130.216.95.6/31 to 224.0.0.18 via  
> vlan95
> 00024     0       0 allow ip from 130.216.1.11 to 224.0.0.18 via fxp1
> 00024   115    6440 allow ip from 130.216.1.12 to 224.0.0.18 via fxp1
> 00030     0       0 allow ip from 130.216.4.173 to 224.0.0.18 via fxp1
> 00031     0       0 allow ip from 130.216.4.174 to 224.0.0.18 via fxp1
> 00040   358   36699 allow tcp from 130.216.4.0/23,130.216.76.0/23 to any  
> in recv fxp1 setup keep-state
> 01102     0       0 allow ip from any to any via lo0 setup keep-state
> 01139     1      48 allow ip from 130.216.155.0/24 to any in recv vlan155
> 01145 11271 9865040 allow tcp from  
> 130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24  
> to any out via fxp1 setup keep-state
> 01147     0       0 allow ip from  
> 130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24  
> to any out xmit fxp1 keep-state
> 02420     0       0 pipe 15 ip from 130.216.155.0/24 to any
> 06000   201   25058 deny log ip from any to any
> 65535   160   74420 deny ip from any to any
> ## Dynamic rules (2):
> 01145 11270 9864992 (300s) STATE tcp 130.216.155.13 1525 <-> 161.53.24.9  
> 80
> 00040   357   36635 (300s) STATE tcp 130.216.4.12 60906 <-> 130.216.1.11  
> 22
>
> Note that nothing is going through pipe 15 even thought it would appear
> to match dynamic rule 01145.
>
> What have I screwed up?

You forgot that *first* matching rule is applied to packet, and then  
packet don't go to next rules (except "count" action and some other  
cases). So your packets are matched by 01145 and are allowed to go through  
your machine, not reaching rule 02420, which is next in the list.

-- 
WBR, Vadim Goncharov

More information about the freebsd-ipfw mailing list