ipfw shows ip being blocked in dynamic rules

What if you manually run this code and add some IPs into the table:

Code:
ipfw table 2 add 80.x.x.x
ipfw table 2 add 81.x.x.x
ipfw table 2 add 66.x.x.x
ipfw table 2 add 62.x.x.x


and then again

Code:
ipfw table 2 list
?
 
Now you can try to open a web-site on your server from that IP and see whether counters changed here from zeros:

Code:
ipfw show 10007
 
Seems they do:
Code:
10007   2344   1504706 allow tcp from table(2) to any dst-port 80 setup limit src-addr 80

Which looks like everything is ok. But in fact it looks like 60007 is counting too, and will block regardless of any other rule. Some sort of whichever counter comes to it's limit first will block. And judging from the past few weeks, rule 60007 wins every time and blocks ip's from table 2.
 
That can't be true...

When a packet enters the firewall it is compared against the first rule in the ruleset and progresses one rule at a time moving from top to bottom of the set in ascending rule number sequence order. When the packet matches the selection parameters of a rule, the rules' action field value is executed and the search of the ruleset terminates for that packet. This is referred to as “the first match wins” search method.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

Your rule number 60007 must be catching connections from other IPs.
 
Back
Top