kern/63961: ipfw2 uid matching doesn't work correctly

Rojer myself at rojer.pp.ru
Mon Mar 8 20:00:33 PST 2004


>Number:         63961
>Category:       kern
>Synopsis:       ipfw2 uid matching doesn't work correctly
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 08 20:00:32 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Rojer
>Release:        5.2.1
>Organization:
>Environment:
FreeBSD gw.hq.rojer.pp.ru 5.2.1-RELEASE-p1 FreeBSD 5.2.1-RELEASE-p1 #5: Sat Mar  6 03:33:29 MSK 2004     rojer at gw.hq.rojer.pp.ru:/usr/obj/usr/src/sys/RojerHQ  i386
>Description:
uid matching doesn't work with 'setup' rules
e.g. the following rule

pass tcp from any to me 49152-65535 uid ftp setup

is syntactically correct but won't ever match while it would be nice if it did. seems like uid is not yet known for packets with tcpflags syn,!ack. but why is it so? the destination port is known and listening socket is already established so it should be possible to match uid of incoming 'setup' packets.

facing the fact that i cannot filter by uid and setup conditions at the same time, i wrote the following rules:

# allow syn-packets
add pass tcp from any to me 49152-65535 setup
# allow syn-ack packets originating from ftp
add pass log tcp from me to any tcpflags syn,ack uid ftp
# deny all other syn-ack packets
add drop log tcp from me 49152-65535 to any tcpflags syn,ack

the idea was to allow only the ftp server to listen at high ports.
to my surprise, no packets matched the second rule and passive ftp data connections wouldn't be established. to me this is clearly a bug which is why i'm submitting it.

at last, negaion o uid condition doesn't seems to work
trying to
 add pass log tcp from me to any uid \!ftp
simply gives an error saying that "uid "!ftp" nonexistent"
and writing it like this
 add pass log tcp from me to any not uid ftp
gives exactly the opposite:
01000 allow log tcp from me to any uid ftp

>How-To-Repeat:
      
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list