On Sun, Jul 07, 2002 at 04:45:52PM -0500, Richard Seaman, Jr. wrote: > On Sun, Jul 07, 2002 at 11:35:46PM +0200, Szilveszter Adam wrote: > > Hello everybody, > > > > I upgraded to yesterday's -CURRENT and have made a few observations: > > > 2) and much more alarmingly: Although the new ipfw really seems to > > process the ruleset faster, some rules appear to do nothing! I > > have a "default-to-deny" setup, so theoretically this should mean that I > > should be cut off from the net if the allow rules do not work. And > > indeed, flushing all rules gives the expected behaviour. But as soon as > > I load the ruleset file (which is the same as previously and then it > > worked as expected) the fw becomes wide-open, the only rules that appear > > to work are the divert for natd, and the allow rules. But the deny rules > > do nothing, it seems that even the "catch-all" implicit deny rule at the > > bottom does nothing. Am I going insane, or is this real? > > Don't know. But, I do know that logging seemed to be messed up. My old > ruleset only logged a few rules, and after upgrading I seemed to get a > log entry for every packet. It was so overwhelming that I didn't even > try to analyze it. Since I needed natd on the machine in question, > I just reverted all the new ipfw code, and haven't spent much time at it.
I just went back to the old log files, and based on a spot check, the log files do indeed record as "accepted" packets that should have been denied by the ruleset (and which are currently denied without logging using the same ruleset and the "old" ipfw). -- Richard Seaman, Jr. email: [EMAIL PROTECTED] 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message