IPFW confused on allow and deny

[hdc]

I have setup IPFW in FreeBSD 11.

The type in rc.conf is open and it is working:

firewall_type="open"

While I check the rules I see this:

$ sudo ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 allow ip from any to any
65535 deny ip from any to any

I am confused on last two lines.
is the rule 65535 override 65000 and deny all connections?
But my server's connections are all working fine?

 

[xavi]

I am confused on last two lines. Is the rule 65535 override 65000 and deny all connections?

This is explained in section '29.4.2. IPFW Rule Syntax' of the handbook.

 

[bryn1u]

When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. When the packet matches the selection parameters of a rule, the rule's action is executed and the search of the ruleset terminates for that packet. This is referred to as “first match wins”. If the packet does not match any of the rules, it gets caught by the mandatory IPFW default rule number 65535, which denies all packets and silently discards them. However, if the packet matches a rule that contains the count, skipto, or tee keywords, the search continues. Refer to ipfw(8) for details on how these keywords affect rule processing.

 

[PacketMan]

For router guys like me, more so in the old days than now, we would also organize our rules list such that where possible, frequently hit rules would be closer to the top of the list than the bottom.