Hi, I have just noticed that ipfw list shows one rule twice. It could be that I have run a script that adds it twice: shell::root:~> ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 01999 deny ip from table(1) to any 01999 deny ip from table(1) to any 65000 allow ip from any to any 65535 allow ip from any to any Shouldn't IPFW check before adding the same rule number again? This is FreeBSD 6.1 RC1 with quite recent kernel. -- Vaclav Haisman -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 542 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20061221/914b3cf8/signature.pgp
Kevin Downey wrote, On 21.12.2006 20:44:> > > On 12/21/06, *V?clav Haisman* <V.Haisman@sh.cvut.cz > <mailto:V.Haisman@sh.cvut.cz>> wrote: > > Hi, > I have just noticed that ipfw list shows one rule twice. It could be > that I > have run a script that adds it twice: > > shell::root:~> ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 <http://127.0.0.0/8> > 00300 deny ip from 127.0.0.0/8 <http://127.0.0.0/8> to any > 01999 deny ip from table(1) to any > 01999 deny ip from table(1) to any > 65000 allow ip from any to any > 65535 allow ip from any to any > > Shouldn't IPFW check before adding the same rule number again? > > This is FreeBSD 6.1 RC1 with quite recent kernel. > > -- > Vaclav Haisman > > > > > its a feature, not a bug. >Huh, really? How is it useful? Please, explain. -- VH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 542 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20061221/8155acd4/signature.pgp
On 12/21/06, V?clav Haisman <V.Haisman@sh.cvut.cz> wrote:> > Hi, > I have just noticed that ipfw list shows one rule twice. It could be that > I > have run a script that adds it twice: > > shell::root:~> ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 01999 deny ip from table(1) to any > 01999 deny ip from table(1) to any > 65000 allow ip from any to any > 65535 allow ip from any to any > > Shouldn't IPFW check before adding the same rule number again? > > This is FreeBSD 6.1 RC1 with quite recent kernel. > > -- > Vaclav Haisman > > > >its a feature, not a bug. -- The biggest problem with communication is the illusion that it has occurred.
Scott Ullrich wrote, On 21.12.2006 21:05:> On 12/21/06, V?clav Haisman <V.Haisman@sh.cvut.cz> wrote: >> Huh, really? How is it useful? Please, explain. > > One example feature is to be able to delete many rules at once. If > you know that a specific rule number holds rules (example: time based > rules) then the script has less work to do. Now granted since sets > where introduced this can be done via this method but this feature has > been useful (at least to me) for years and years now. > > ScottOh, I did not realise this use. Hmm...still, I thought that this is what tables are for :) -- VH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 542 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20061221/4ff2931e/signature.pgp
Hi,
Re-edit your script and on the first line at the following:
ipfw -f fl
This line flushes the firewall script that is currently loaded
before loading your script.
Can you keep me posted.
Regards and a Merry Christmas,
--
Rodrigo Galiano Celestino
Internet & System Consultant
Celphone: +244 923 57 79 72
V?clav Haisman escreveu:> Hi,
> I have just noticed that ipfw list shows one rule twice. It could be that I
> have run a script that adds it twice:
>
> shell::root:~> ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 01999 deny ip from table(1) to any
> 01999 deny ip from table(1) to any
> 65000 allow ip from any to any
> 65535 allow ip from any to any
>
> Shouldn't IPFW check before adding the same rule number again?
>
> This is FreeBSD 6.1 RC1 with quite recent kernel.
>
> --
> Vaclav Haisman
>
On 12/21/06, V?clav Haisman <V.Haisman@sh.cvut.cz> wrote:> Oh, I did not realise this use. Hmm...still, I thought that this is what > tables are for :)Yep, thats another usage for tables. But tables have not been around for very long either. Considering that I have used IPFW since FreeBSD version 2 or something or another these fancy features have not always been around :) Scott
V?clav Haisman wrote: > I have just noticed that ipfw list shows one rule twice. It could be that I > have run a script that adds it twice: That's expected behaviour. Rule numbers are not unique. Think of the rule number as a tag attached to the rule. It's perfectly legal that two rules can have the same tag (number). > Shouldn't IPFW check before adding the same rule number again? No. However, it could be argued that ipfw(8) could check if an existing rule number is added with the same rule body. In that case it would be redundant and have no effect at all. (It wouldn't really be an error either, so ipfw(8) could simply exit successfully without actually adding the rule.) If someone submits a patch for that, I think it would be comitted. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Clear perl code is better than unclear awk code; but NOTHING comes close to unclear perl code" (taken from comp.lang.awk FAQ)
Hello! On Thu, 21 Dec 2006, Vclav Haisman wrote:>> One example feature is to be able to delete many rules at once. If >> you know that a specific rule number holds rules (example: time based >> rules) then the script has less work to do. Now granted since sets >> where introduced this can be done via this method but this feature has >> been useful (at least to me) for years and years now. >> >> Scott > Oh, I did not realise this use. Hmm...still, I thought that this is what > tables are for :)The ability to have several distinct ipfw rules with the same rule_number is also useful for the purposes of traffic accounting. Say, you should tally traffic received via some interface + traffic from the proxy-server together for some user: ipfw add 3000 count all from any to user in recv ext0 ipfw add 3000 count tcp from proxy 3128 to user out and just teach the traffic accounting utility to sum up byte counts for the rules with the same number. Very handy, and not doable via lookup tables.> VHSincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE