misc/64694: UID/GID matching in ipfw non-functional

Grant Millar Co0lkizz at btinternet.com
Sat Mar 27 02:20:13 PST 2004


The following reply was made to PR misc/64694; it has been noted by GNATS.

From: "Grant Millar" <Co0lkizz at btinternet.com>
To: <freebsd-gnats-submit at FreeBSD.org>, <co0lkizz at btinternet.com>
Cc:  
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Sat, 27 Mar 2004 10:14:16 -0000

 My current network configuration I have kept simple to ensure that this
 could not
 be a problem. 66.X.X.2 is an alias of fxp0,
 
 defaultrouter="66.X.X.225"
 hostname="uneix.com"
 ifconfig_fxp0="inet 66.X.X.236  netmask 255.255.255.224"
 ifconfig_fxp0_alias0="inet 66.X.X.2  netmask 255.255.255.255"
 firewall_enable="YES"
 kern_securelevel_enable="NO"
 linux_enable="YES"
 nfs_reserved_port_only="YES"
 sendmail_enable="YES"
 sshd_enable="YES"
 usbd_enable="YES"
 
 ifconfig shows this to be working correctly,
 uneix# ifconfig
 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         inet 66.90.89.236 netmask 0xffffffe0 broadcast 66.90.89.255
         inet6 fe80::250:8bff:fe67:da46%fxp0 prefixlen 64 scopeid 0x1
 	  inet 66.X.X.2 netmask 0xffffffff broadcast 66.X.X.2
 
 Also traffic gets through if I take out the uid,
 uneix# ipfw sh
 00100     64      6804 allow tcp from 66.X.X.2 to any
 00200     88      5152 allow tcp from any to 66.X.X.2
 00300      0         0 deny tcp from 66.X.X.2 to any
 65535 336537 151671807 allow ip from any to any
 
 httpd     208  root   16u  IPv4 0xdcd94dc0      0t0  TCP *:http (LISTEN)
 sshd      134  root    4u  IPv4 0xdcd8ae00      0t0  TCP *:ssh (LISTEN)
                ^^^^ sshd & httpd are listening on a root socket.
 
 Just to make sure this is not the problem the user we want to ssh with
 is added,
 uneix# ipfw sh
 00100      0         0 allow tcp from 66.X.X.2 to any uid root
 00110      0         0 allow tcp from 66.X.X.2 to any uid admin
 00200     93      5392 allow tcp from any to 66.X.X.2
 00300      5       220 deny tcp from 66.X.X.2 to any
 65535 338579 151962909 allow ip from any to any
 
 As you can see it is still denying the packets from both http and ssh.
 
 Grant
 


More information about the freebsd-bugs mailing list