From root@proxy.metro.tas.com.au  Thu Mar 26 15:07:55 1998
Received: from proxy.metro.tas.com.au ([147.109.165.35])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA08270
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 26 Mar 1998 15:07:44 -0800 (PST)
          (envelope-from root@proxy.metro.tas.com.au)
Received: (from root@localhost)
	by proxy.metro.tas.com.au (8.8.8/8.8.5) id KAA17071;
	Fri, 27 Mar 1998 10:07:27 +1100 (EST)
Message-Id: <199803262307.KAA17071@proxy.metro.tas.com.au>
Date: Fri, 27 Mar 1998 10:07:27 +1100 (EST)
From: Charlie Root <root@proxy.metro.tas.com.au>
Reply-To: root@proxy.metro.tas.com.au
To: FreeBSD-gnats-submit@freebsd.org
Subject: IPFW Rules mixup - wrong rule numbers are filtering packets
X-Send-Pr-Version: 3.2

>Number:         6141
>Category:       i386
>Synopsis:       IPFW rules are incorrectly filtering packets randomly
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 26 15:10:01 PST 1998
>Closed-Date:    Thu Mar 26 17:16:01 PST 1998
>Last-Modified:  Thu Mar 26 17:17:20 PST 1998
>Originator:     Charlie &
>Release:        FreeBSD 3.0-980221-SNAP i386
>Organization:
Metro Tasmania Pty Ltd
>Environment:

  The machine is used as a gateway/proxy machine.

>Description:

We use the rules to log how much traffic travels out on a particular
port. additionally we also block other ports. The rules seem
to be getting mixed up so some of the allowed ports are being
reported as being blocked.

Mar 27 09:55:22 proxy /kernel: ipfw: 5300 Deny TCP 147.109.237.5:8080 
147.109.165.35:1525 in via ed0
Mar 27 09:56:26 proxy /kernel: ipfw: 5300 Deny TCP 147.109.237.5:8080 
147.109.165.35:1525 in via ed0      

Here are the relevant rules:
$fwcmd add   5300 deny log tcp from any      to any 1525 in  via $Out
$fwcmd add  15900 pass     tcp from any 8080 to any      out via $In
$fwcmd add  16000 pass     tcp from any      to any 8080 out via $Out
$fwcmd add  16100 pass     tcp from any 8080 to any      in  via $In

Seems to occur more as the number of rules increase, currently
there are approximately 40 rules.

>How-To-Repeat:

Unknown...

>Fix:
	
Unknown.... (Lot of help aren't I <Grin>)
>Release-Note:
>Audit-Trail:

From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: Charlie Root <root@proxy.metro.tas.com.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: i386/6141: IPFW Rules mixup - wrong rule numbers are filtering packets
Date: Fri, 27 Mar 1998 11:33:42 +1100 (EST)

 > We use the rules to log how much traffic travels out on a particular
 > port. additionally we also block other ports. The rules seem
 > to be getting mixed up so some of the allowed ports are being
 > reported as being blocked.
 > 
 > Mar 27 09:55:22 proxy /kernel: ipfw: 5300 Deny TCP 147.109.237.5:8080 
 > 147.109.165.35:1525 in via ed0
 > Mar 27 09:56:26 proxy /kernel: ipfw: 5300 Deny TCP 147.109.237.5:8080 
 > 147.109.165.35:1525 in via ed0      
 > 
 > Here are the relevant rules:
 > $fwcmd add   5300 deny log tcp from any      to any 1525 in  via $Out
 > $fwcmd add  15900 pass     tcp from any 8080 to any      out via $In
 > $fwcmd add  16000 pass     tcp from any      to any 8080 out via $Out
 > $fwcmd add  16100 pass     tcp from any 8080 to any      in  via $In
 
 It looks to me like it is doing things correctly, as far as the ruleset 
 is written.  Why are you denying 1525? Do you have the $Out and $In round 
 the wrong way in 5300 and 15900?
 
 You do realise that rules are parsed in numeric order, don't you?
 
 Danny
State-Changed-From-To: open->closed 
State-Changed-By: danny 
State-Changed-When: Thu Mar 26 17:16:01 PST 1998 
State-Changed-Why:  
User now understands TCP and ipfw rules a bit better. 
>Unformatted:
