From nobody@FreeBSD.org  Thu May  6 00:39:20 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BC31416A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  6 May 2004 00:39:20 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9CA1943D48
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  6 May 2004 00:39:20 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i467dK1w027305
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 6 May 2004 00:39:20 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i467dKE2027304;
	Thu, 6 May 2004 00:39:20 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200405060739.i467dKE2027304@www.freebsd.org>
Date: Thu, 6 May 2004 00:39:20 -0700 (PDT)
From: Zachery Hostens <openhalo@openhalo.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw count rule disabling new connections
X-Send-Pr-Version: www-2.3

>Number:         66319
>Category:       kern
>Synopsis:       ipfw count rule disabling new connections
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 06 00:40:19 PDT 2004
>Closed-Date:    Sat May 29 12:26:37 PDT 2004
>Last-Modified:  Sat May 29 12:26:37 PDT 2004
>Originator:     Zachery Hostens
>Release:        5-CURRENT
>Organization:
>Environment:
FreeBSD avalanche.mchsi.com 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Mon May  3 22:07:04 CDT 2004     root@avalanche.mchsi.com:/usr/obj/usr/src/sys/AVALANCHE  i386
>Description:
i was attempting to add a rule to ipfw to count syn packets coming in
ipfw add 01000 count tcp from any to me setup (i also tried to any)
when i would try to connect to the box from another machine i would always get this:
extort@fate extort $ ssh avalanche
ssh: connect to host avalanche port 22: Network is unreachable

now the counter would count connection tries correctly, just not allow me to connect.  as soon as i remove the rule i can ssh perfectly fine.

src-all was cvsup'd within 1 day of being compiled.  If you need to see the kernel config and/or rc.conf or any other settings i have set, please feel free to email me.
>How-To-Repeat:
ipfw add # count tcp to any from [any|me]
>Fix:

>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: Zachery Hostens <openhalo@openhalo.net>
Cc: bug-followup@freebsd.org
Subject: Re: kern/66319: ipfw count rule disabling new connections
Date: Thu, 6 May 2004 12:35:15 +0400 (MSD)

 On Thu, 6 May 2004, 00:39-0700, Zachery Hostens wrote:
 
 >
 > >Number:         66319
 > >Category:       kern
 > >Synopsis:       ipfw count rule disabling new connections
 
 [...]
 > FreeBSD avalanche.mchsi.com 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Mon May  3 22:07:04 CDT 2004     root@avalanche.mchsi.com:/usr/obj/usr/src/sys/AVALANCHE  i386
 > >Description:
 > i was attempting to add a rule to ipfw to count syn packets coming
 > in ipfw add 01000 count tcp from any to me setup (i also tried to
 > any) when i would try to connect to the box from another machine i
 > would always get this: extort@fate extort $ ssh avalanche ssh:
 > connect to host avalanche port 22: Network is unreachable
 >
 > now the counter would count connection tries correctly, just not
 > allow me to connect.  as soon as i remove the rule i can ssh
 > perfectly fine.
 >
 > src-all was cvsup'd within 1 day of being compiled.  If you need to
 > see the kernel config and/or rc.conf or any other settings i have
 > set, please feel free to email me.
 > >How-To-Repeat:
 > ipfw add # count tcp to any from [any|me]
 
 It doesn't look like a valid ipfw(4) rule.
 
 $ ipfw -n add 1 count tcp to any from any
 ipfw: missing ``from''
 
 I believe you mean something like that:
 
 # ipfw add 1 count tcp from any to any
 00001 count tcp from any to any
 
 $ telnet relay1.demos.su 25
 Trying 194.87.0.16...
 Connected to relay1.demos.su.
 Escape character is '^]'.
 
 So, I cannot reproduce.  Could you please show the whole ruleset?
 
 -- 
 Maxim Konovalov
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Sat May 29 12:25:02 PDT 2004 
State-Changed-Why:  
Feedback timeout. 


Responsible-Changed-From-To: freebsd-bugs->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Sat May 29 12:25:02 PDT 2004 
Responsible-Changed-Why:  
Followups trap. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66319 
>Unformatted:
