On Sun, Jul 07, 2002 at 11:35:46PM +0200, Szilveszter Adam wrote: > Hello everybody, > > I upgraded to yesterday's -CURRENT and have made a few observations:
> 2) and much more alarmingly: Although the new ipfw really seems to > process the ruleset faster, some rules appear to do nothing! I > have a "default-to-deny" setup, so theoretically this should mean that I > should be cut off from the net if the allow rules do not work. And > indeed, flushing all rules gives the expected behaviour. But as soon as > I load the ruleset file (which is the same as previously and then it > worked as expected) the fw becomes wide-open, the only rules that appear > to work are the divert for natd, and the allow rules. But the deny rules > do nothing, it seems that even the "catch-all" implicit deny rule at the > bottom does nothing. Am I going insane, or is this real? Don't know. But, I do know that logging seemed to be messed up. My old ruleset only logged a few rules, and after upgrading I seemed to get a log entry for every packet. It was so overwhelming that I didn't even try to analyze it. Since I needed natd on the machine in question, I just reverted all the new ipfw code, and haven't spent much time at it. > Also, I have observed that when loading the rules from the ruleset file, > ipfw prints two lines for each, one with the expected rule number and > one with all zeros. I don't know if it's significant though. > > It is like this: > > 00000 deny log ip from any to any > 03600 deny log ip from any to any Yes, I saw this. However, 'ipfw l' doesn't include a 00000 rule, and the rule list appears correct. -- Richard Seaman, Jr. email: [EMAIL PROTECTED] 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
