misc/64694: UID/GID matching in ipfw non-functional

Kris Kennaway kris at obsecurity.org
Fri Mar 26 20:10:10 PST 2004


The following reply was made to PR misc/64694; it has been noted by GNATS.

From: Kris Kennaway <kris at obsecurity.org>
To: Grant Millar <co0lkizz at btinternet.com>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Fri, 26 Mar 2004 20:04:19 -0800

 --98e8jtXdkpgskNou
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Thu, Mar 25, 2004 at 02:39:44AM -0800, Grant Millar wrote:
 
 > >Description:
 >       When adding the following rules uid matching on ipfw is totally=20
 > ignored as we can see no packets are getting through on the ip with=20
 > uid maching enabled, packets are allowed in but not out.
 >=20
 > 00100     3     144 allow tcp from any to 66.X.X.2
 > 00200     0       0 allow tcp from 66.X.X.2 to any uid root
 > 00300     3     132 deny tcp from 66.X.X.2 to any
 > 65535 28440 2522637 allow ip from any to any
 >=20
 > Clearly you can see this is a substantial problem as now we cannot
 > restrict access to ip's which could cause problems, i've also tried to
 > solve this problem by upgrading to 5.2.1-RELEASE but had exactly the
 > same problem.
 
 You forgot to mention details of your network configuration, and how
 you are testing this.  It's possible your expectations are wrong.
 
 Kris
 
 --98e8jtXdkpgskNou
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.4 (FreeBSD)
 
 iD8DBQFAZP1DWry0BWjoQKURAq2VAKDNy3oFG/daPf29fvsd74Xrqx0unwCg+hdb
 GKxi5zf1CYCHiDL+sA0sIi8=
 =icbO
 -----END PGP SIGNATURE-----
 
 --98e8jtXdkpgskNou--


More information about the freebsd-bugs mailing list