IPFW-2 help please

[Incoming Mail List]

Can anyone fluent with IPFW-2 help me by explaining what's happening
with the following rules?  I'm not getting the results I expect and
can't make any logical conclusions regarding them.



SERVER CONFIGURATION
--------------------
FBSD v5.2.1 with IPFW-2
Four port NIC, but for simplicity sake I am only showing two ports
in this example of the rules.

FBSD box router/gateway contains:
        dc1 is 192.168.1.1
        dc2 is 192.168.2.1

One machine (192.168.1.10) is attached to the 1.0 network.
One machine (192.168.2.254) is attached to the 2.0 network.
With an open firewall, anything hanging off the 1.0 network can talk
to the 2.0 network and vice-versa.  So routing is fine.



RULESET
-------
01600 skipto 4000 ip from any to any via dc1
01800 skipto 8000 ip from any to any via dc2

04000 check-state
04200 allow ip from any to any in via dc1 keep-state
04400 deny ip from any to any

08000 deny ip from any to 192.168.2.254 dst-port 23
08100 check-state
08200 allow ip from any to any in via dc2 keep-state
65000 deny ip from any to any



MY CONFUSION
------------
1. I want machines on dc1 to be able to go anywhere, but I want
   to block telnet into 192.168.2.254.

2. Rule 8000 is not blocking access to 192.168.2.254 dst-port 23
   as I thought it would.  I can telnet to 2.254 without any
   problem.  The dynamic rule 4200 is setup with bidirectional
   communication between 1.10 and 2.254, but Rule 8000 has no impact
   on packets traveling through dc2 with a target of 2.254.

3. If I move Rule 8000 before Rule 1600, packets are blocked
   from 192.168.2.254 dst-port 23 as I expect them to be.



MY QUESTION
-----------
Why are packets blocked if the deny rule is placed prior to 
Rule 1600 but not within the block of rules defined for traffic
in and out of dc2?  Is this because static rules referencing the
interface do not match packets that were initially introduced
using a dynamic rule?



Thanks,
Jon