From muir@ping.idiom.com  Sat Oct  4 01:00:30 1997
Received: from ping.idiom.com (idiom-frVT1-gw.sf.tlg.net [140.174.37.22] (may be forged))
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id BAA05026
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 4 Oct 1997 01:00:30 -0700 (PDT)
Received: (from muir@localhost)
	by ping.idiom.com (8.8.5/8.8.5) id BAA12414;
	Sat, 4 Oct 1997 01:00:25 -0700 (PDT)
Message-Id: <199710040800.BAA12414@ping.idiom.com>
Date: Sat, 4 Oct 1997 01:00:25 -0700 (PDT)
From: David Sharnoff <muir@ping.idiom.com>
Reply-To: muir@ping.idiom.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw accept ignored.  
X-Send-Pr-Version: 3.2

>Number:         4687
>Category:       kern
>Synopsis:       ipfw accept ignored
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct  4 01:10:01 PDT 1997
>Closed-Date:    Sat Oct 4 16:37:17 PDT 1997
>Last-Modified:  Sat Oct  4 16:39:38 PDT 1997
>Originator:     David Sharnoff
>Release:        FreeBSD 2.2.2-RELEASE i386
>Organization:
Idiom Consutling
>Environment:

	A router with lots of rules.  I'll send 'em to anyone 
	who is interested. 

	The router is running FreeBSD 2.2.2 RELEASE

>Description:

	I have a rule that passes a packet.  I can tell that it
	passes the packet because the counter goes up by one 
	whenever a packet goes by.

	I have another rule that rejects packets. 

	Both rules are firing on the same packet.

	% ipfw -a list | grep 111
	13000         24       2016 allow udp from 209.66.121.0/27 to 140.174.82.0/26 111 in via ethb17
	13000          0          0 allow udp from 140.174.82.32/27 to 140.174.82.32/27 111 in via ep0
	13000          0          0 allow tcp from 140.174.82.0/27 to 140.174.82.0/26 111 in via fxp0
	13000          0          0 allow udp from 140.174.82.0/27 to 140.174.82.0/27 111 in via fxp0
	13000         24       2016 deny log udp from any to 140.174.82.0/26 111
	13500          0          0 allow tcp from 140.174.82.32/27 to 140.174.82.0/26 111 in via ep0
	13500          0          0 deny log tcp from any to 140.174.82.0/26 111

	I've renumbered the rules in many ways.  It behaves the same
	if both rules (with the 24 2016 count) have the same number or
	different numbers.

>How-To-Repeat:

	Duplicate the above rules.  Send packets.

>Fix:
	

>Release-Note:
>Audit-Trail:

From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: David Sharnoff <muir@ping.idiom.com>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/4687: ipfw accept ignored. 
Date: Sat, 4 Oct 1997 21:38:13 +1000 (EST)

 On Sat, 4 Oct 1997, David Sharnoff wrote:
 
 > 	I have a rule that passes a packet.  I can tell that it
 > 	passes the packet because the counter goes up by one 
 > 	whenever a packet goes by.
 > 
 > 	I have another rule that rejects packets. 
 > 
 > 	Both rules are firing on the same packet.
 > 
 > 	% ipfw -a list | grep 111
 > 	13000         24       2016 allow udp from 209.66.121.0/27 to 140.174.82.0/26 111 in via ethb17
 > 	13000         24       2016 deny log udp from any to 140.174.82.0/26 111
 
 If you look at the second rule carefully, you'll see that you have not 
 defined a direction on it.  What is happening is that the packet is 
 accepted *in* using the first rule, and denied from leaving (as this is 
 a router) by the second rule.
 
 Fix: Add *in* keyword to deny rule (you don't need to specify an interface).
 
 Danny
 
 /*  Daniel O'Callaghan                                                     */
 /*  HiLink Internet <http://www.hilink.com.au/>       danny@hilink.com.au  */
 /*  FreeBSD - works hard, plays hard...                 danny@freebsd.org  */
 
 
 

From: David Muir Sharnoff <muir@idiom.com>
To: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/4687: ipfw accept ignored. 
Date: Sat, 4 Oct 1997 09:56:43 -0700 (PDT)

 * > 	% ipfw -a list | grep 111
 * > 	13000         24       2016 allow udp from 209.66.121.0/27 to 140.174.82.0/26 111 in via ethb17
 * > 	13000         24       2016 deny log udp from any to 140.174.82.0/26 111
 * 
 * If you look at the second rule carefully, you'll see that you have not 
 * defined a direction on it.  What is happening is that the packet is 
 * accepted *in* using the first rule, and denied from leaving (as this is 
 * a router) by the second rule.
 * 
 * Fix: Add *in* keyword to deny rule (you don't need to specify an interface).
 
 Ah, I see!  I didn't realize the packet got tested twice.  It makes
 sense in retrospect.
 
 Thank you for the clue.
 
 -Dave
State-Changed-From-To: open->closed 
State-Changed-By: danny 
State-Changed-When: Sat Oct 4 16:37:17 PDT 1997 
State-Changed-Why:  
Closed because there is no problem with ipfw - the packet is 
tested inbound by the first rule and outbound by the second (no 
direction specified) rule. 
>Unformatted:
