ipfw final rule

DoubleF doublef at tele-kom.ru
Mon Jun 2 10:11:42 PDT 2003

Gary Aitken wrote:
> I was considering turning on bridging, which requires the final ipfw
> rule to be allow, not deny.
> So I added a deny rule at 65534, but temporarily left the default deny
> rule in place in the kernel.
> Interestingly, my log shows the following:
>> 65534   582   58547 deny ip from any to any
>> 65535     3     234 deny ip from any to any
> This looks like an impossible situation, since the last 3 should have
> been caught by the previous rule.
> I presume those last three denied packets are really not ip packets at
> all, but some other packet like arp?

My guess is just that those 3 packets were caught just before the final
65534th deny rule was added. The fact that you indeed have some denied
packets (582) in 'normal' state makes that quite probable. Try zeroing
the stats out and leave it for a while. There should be 0 in 65535 rule


More information about the freebsd-questions mailing list