On Sat, Nov 15, 2008 at 01:38:02PM -0800, Jin Guojun[VFF] wrote: > Below is set of ipfw rules, but it seems that not all rules are > functioning properly. > From rule 361 to first two of rule 567 are not blocking any traffic and > not measuring any traffic. > Is this bacuse tcp rule )330) can overwrite the ip rule? or this is a > known issue in R-6.3?
In general the first matching rule is the one that is applied. In your case this means that if a packet matches your rule 330 then it will be allowed through, and the rules further down the list will not be considered. > > The second and third rules in rule set 567 seem working well. > > -Jin > > ---------------- ipfw rule sets --------- > 00330 3108378 2700826874 allow tcp from any to any established > 00361 0 0 deny ip from 203.83.248.93 to any > 00361 0 0 deny ip from 72.30.142.215 to any > 00567 0 0 deny ip from 193.200.241.171 to any > 00567 0 0 deny ip from 221.192.199.36 to any > 00567 3 180 deny ip from 118.153.18.186 to any > 00567 3 180 deny ip from 203.78.214.180 to any > 00567 0 0 deny ip from 118.219.232.123 to any > 65500 220 20043 allow udp from any to any > 65535 2 120 deny ip from any to any > > ------ traffic captured by tcpdump behind ipfw machine ----- > > 04:12:20.940095 IP 221.192.199.36.12200 > 192.168.2.14.80: S > 200229998:200229998(0) win 8192 > 04:12:21.204430 IP 221.192.199.36.12200 > 192.168.2.14.80: R > 200229999:200229999(0) win 0 > 04:31:16.262402 IP 221.192.199.36.12200 > 192.168.2.14.80: S > 200233658:200233658(0) win 8192 > 04:31:16.541868 IP 221.192.199.36.12200 > 192.168.2.14.80: R > 200233659:200233659(0) win 0 > 05:27:04.031434 IP 221.192.199.36.12200 > 192.168.2.14.80: S > 200244634:200244634(0) win 8192 > 05:27:04.303262 IP 221.192.199.36.12200 > 192.168.2.14.80: R > 200244635:200244635(0) win 0 > 05:28:18.099443 IP 221.192.199.36.3362 > 192.168.2.14.80: S > 2422872529:2422872529(0) win 65535 <mss 1452,nop,nop,sackOK> > 05:28:18.352083 IP 221.192.199.36.3362 > 192.168.2.14.80: . ack > 3968474717 win 65535 > 05:28:18.367745 IP 221.192.199.36.3362 > 192.168.2.14.80: P 0:205(205) > ack 1 win 65535 > 05:28:18.621538 IP 221.192.199.36.3362 > 192.168.2.14.80: R 205:205(0) > ack 473 win 0 > -- <Insert your favourite quote here.> Erik Trulsson [EMAIL PROTECTED] _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"