ipfw cannot parse an or-block when protocol 'ip' is first in the list. To reproduce: # ipfw flush Are you sure? [yn] y Flushed all rules. # Add rule with or-block without 'ip' protocol - success # ipfw add 1000 deny \{ igmp or ggp or eigrp \} from any to me 01000 deny { igmp or ggp or eigrp } from any to me # Try to add or-block with 'ip' protocol first in list - error # ipfw add 1100 deny \{ ip or igmp or ggp or eigrp \} from any to me ipfw: invalid OR block # Reorder or-block so 'ip' protocol is not first in list - success # ipfw add 1200 deny \{ igmp or ip or ggp or eigrp \} from any to me 01200 deny { igmp or ggp or eigrp } from any to me # Note also that the ip protocol does not show up in the last accepted rule.
I am interested in working on this ticket.
It appears that even on commands like: # ipfw add 1 deny \{ igmp or ip or ggp or eigrp \} from any to me 00001 deny { igmp or ggp or eigrp } from any to me It doesn't add ip. I tried this on my laptop and pings went through. However, this works: # ipfw add 1 deny \{ ipv4 or igmp or ggp or eigrp \} from any to me 00001 deny { ip4 or igmp or ggp or eigrp } from any to me The problem is that the command for just "ip" in the kernel/tool is blank. Theoretically, this problem is solvable but why would you want to block both IPv4 AND IPv6?
(In reply to Neel Chauhan from comment #2) The 'deny' action keyword is immaterial to the bug report. You correctly noted that both "ip4" and "ipv4" work as the first element in the list. While this is a workaround, "ip4" and "ipv4" do not exist as valid protocol names in /etc/protocols. I suggest that the code be fixed to accommodate "ip" as an acceptable value even if it is the first element in the list.
Using "ip" in the OR block with other protocols is useless, because it matches to all protocols and the result of such OR block will be always true.