>> >since it seems (to me, at least) that "quick" and "log" don't work
>> >with "count" lines.  am i wrong?  if so, what am i doing wrong?  i'm
>> >not trying to block any traffic at this time, just characterize it.
>> 
>> to clarify: it seems to me that "count log" doesn't log anything (but
>> it does count it) and that "count quick" doesn't actually terminate
>> ruleset processing (a subsequent "pass" will also see it) but it does
>> prevent it from being counted again.
>
>RTFM?  "count" is a separate action from 'block' and 'log', and "count"
>isn't one of the "options" that can be used with any action.

i did rtfm.  several times, in fact.  and they are f.  :)

i understand that "count" is separate from "block" and "pass" (and
"log").  "count" is not an option, but an action, whereas "log" has
the distinction of being an action *and* an option.  i think that if
"count" was an option, that'd be be the answer to my situation.

fwiw - i also find that with default pass and only "log" (ie, no
"pass", "block", or "count" lines) lines in my ipf.conf, my machine
becomes unreachable.  is perhaps the "log" action short for "block
log"?

see darren's previous email on the order of rule evaluation.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."