Only seeing incrementing counters on 'count' and not 'allow'

Justin G. justin at ocis.net
Tue Apr 14 11:24:18 PDT 2009 

On Tue, Apr 14, 2009 at 11:01 AM, Justin G. <justin at ocis.net> wrote:
> Hello everyone,
>
> We've got a 6.2-RELEASE box functioning as a gateway. Today we noticed
> that, when we place allow rules (we were testing at rule numbers 1-5
> to prevent any other matching rules) they weren't incrementing
> properly, but when replaced with "count" rules that are identical,
> they increment. The firewall is set to "OPEN" on the box and we're
> using the default /etc/rc.firewall script without modifications.
>
> Here's an example of what's going on:
>
> --snip--
> [root at gateway ~]# ipfw show | head -2
> 00002          0            0 allow ip from any to 10.10.0.75
> 00002          0            0 allow ip from 10.10.0.75 to any
> [root at gateway ~]# ping 10.10.0.75
> PING 10.10.0.75 (10.10.0.75): 56 data bytes
> ^C
> --- 10.10.0.75 ping statistics ---
> 5 packets transmitted, 0 packets received, 100% packet loss
> [root at gateway ~]# ipfw show | head -2
> 00002          0            0 allow ip from any to 10.10.0.75
> 00002          0            0 allow ip from 10.10.0.75 to any
> [root at gateway ~]# ipfw add 1 count ip from any to 10.10.0.75
> 00001 count ip from any to 10.10.0.75
> [root at gateway ~]# ping 10.10.0.75
> PING 10.10.0.75 (10.10.0.75): 56 data bytes
> ^C
> --- 10.10.0.75 ping statistics ---
> 4 packets transmitted, 0 packets received, 100% packet loss
> [root at gateway ~]# ipfw show | head -3
> 00001          4          336 count ip from any to 10.10.0.75
> 00002          0            0 allow ip from any to 10.10.0.75
> 00002          0            0 allow ip from 10.10.0.75 to any
> [root at gateway ~]#
> --snip--
>
> These are the firewall settings as defined in /etc/rc.conf:
> --snip--
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_type="open"
> --snip--
>
> I've been puzzling over this all day and would appreciate any
> direction provided :-)
>
> Have a great day.
>

Nevermind! I guess I posted too soon. The issue turned out to be that
the rules were created with "allow IP from" instead of "allow ip from"
-- it's interesting to me that it displays in the "ipfw show" output
to be lower case. I've just verified that this also occurs on FreeBSD
7.1 -- is this intended functionality?

More information about the freebsd-ipfw mailing list