misc/64694: UID/GID matching in ipfw non-functional
Grant Millar
Co0lkizz at btinternet.com
Sat Mar 27 02:20:13 PST 2004
The following reply was made to PR misc/64694; it has been noted by GNATS.
From: "Grant Millar" <Co0lkizz at btinternet.com>
To: <freebsd-gnats-submit at FreeBSD.org>, <co0lkizz at btinternet.com>
Cc:
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Sat, 27 Mar 2004 10:14:16 -0000
My current network configuration I have kept simple to ensure that this
could not
be a problem. 66.X.X.2 is an alias of fxp0,
defaultrouter="66.X.X.225"
hostname="uneix.com"
ifconfig_fxp0="inet 66.X.X.236 netmask 255.255.255.224"
ifconfig_fxp0_alias0="inet 66.X.X.2 netmask 255.255.255.255"
firewall_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
ifconfig shows this to be working correctly,
uneix# ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 66.90.89.236 netmask 0xffffffe0 broadcast 66.90.89.255
inet6 fe80::250:8bff:fe67:da46%fxp0 prefixlen 64 scopeid 0x1
inet 66.X.X.2 netmask 0xffffffff broadcast 66.X.X.2
Also traffic gets through if I take out the uid,
uneix# ipfw sh
00100 64 6804 allow tcp from 66.X.X.2 to any
00200 88 5152 allow tcp from any to 66.X.X.2
00300 0 0 deny tcp from 66.X.X.2 to any
65535 336537 151671807 allow ip from any to any
httpd 208 root 16u IPv4 0xdcd94dc0 0t0 TCP *:http (LISTEN)
sshd 134 root 4u IPv4 0xdcd8ae00 0t0 TCP *:ssh (LISTEN)
^^^^ sshd & httpd are listening on a root socket.
Just to make sure this is not the problem the user we want to ssh with
is added,
uneix# ipfw sh
00100 0 0 allow tcp from 66.X.X.2 to any uid root
00110 0 0 allow tcp from 66.X.X.2 to any uid admin
00200 93 5392 allow tcp from any to 66.X.X.2
00300 5 220 deny tcp from 66.X.X.2 to any
65535 338579 151962909 allow ip from any to any
As you can see it is still denying the packets from both http and ssh.
Grant
More information about the freebsd-bugs
mailing list