misc/64694: UID/GID matching in ipfw non-functional
Maxim Konovalov
maxim at macomnet.ru
Fri Mar 26 11:30:40 PST 2004
The following reply was made to PR misc/64694; it has been noted by GNATS.
From: Maxim Konovalov <maxim at macomnet.ru>
To: Grant Millar <co0lkizz at btinternet.com>
Cc: bug-followup at freebsd.org
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Fri, 26 Mar 2004 22:29:39 +0300 (MSK)
On Thu, 25 Mar 2004, 02:39-0800, Grant Millar wrote:
[...]
> >Description:
> When adding the following rules uid matching on ipfw is totally
> ignored as we can see no packets are getting through on the ip with
> uid maching enabled, packets are allowed in but not out.
>
> 00100 3 144 allow tcp from any to 66.X.X.2
> 00200 0 0 allow tcp from 66.X.X.2 to any uid root
> 00300 3 132 deny tcp from 66.X.X.2 to any
> 65535 28440 2522637 allow ip from any to any
>
> Clearly you can see this is a substantial problem as now we cannot
> restrict access to ip's which could cause problems, i've also tried to
> solve this problem by upgrading to 5.2.1-RELEASE but had exactly the
> same problem.
Are you sure the traffic from 66.X.X.2 is coming to a socket owned by
root? Moreover uid matching working for me on 5.2-CURRENT:
# ipfw sh 8000
08000 39 7626 count tcp from 195.128.64.0/24 to any uid maxim
08000 2 168 count tcp from 195.128.64.0/24 to any uid root
# sleep 10 && ipfw sh 8000
08000 397 83906 count tcp from 195.128.64.0/24 to any uid maxim
--------------^^^^^ my ssh session
08000 2 168 count tcp from 195.128.64.0/24 to any uid root
--
Maxim Konovalov
More information about the freebsd-bugs
mailing list