ipfw final rule
DoubleF
doublef at tele-kom.ru
Mon Jun 2 10:11:42 PDT 2003
Gary Aitken wrote:
> I was considering turning on bridging, which requires the final ipfw
> rule to be allow, not deny.
> So I added a deny rule at 65534, but temporarily left the default deny
> rule in place in the kernel.
> Interestingly, my log shows the following:
>> 65534 582 58547 deny ip from any to any
>> 65535 3 234 deny ip from any to any
> This looks like an impossible situation, since the last 3 should have
> been caught by the previous rule.
> I presume those last three denied packets are really not ip packets at
> all, but some other packet like arp?
My guess is just that those 3 packets were caught just before the final
65534th deny rule was added. The fact that you indeed have some denied
packets (582) in 'normal' state makes that quite probable. Try zeroing
the stats out and leave it for a while. There should be 0 in 65535 rule
then.
HTH,
DoubleF
More information about the freebsd-questions
mailing list