misc/64694: UID/GID matching in ipfw non-functional
Grant Millar
Co0lkizz at btinternet.com
Sat Mar 27 02:50:17 PST 2004
The following reply was made to PR misc/64694; it has been noted by GNATS.
From: "Grant Millar" <Co0lkizz at btinternet.com>
To: <freebsd-gnats-submit at FreeBSD.org>, <co0lkizz at btinternet.com>
Cc:
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Sat, 27 Mar 2004 10:46:10 -0000
Also to test this further the following rules were implemented;
uneix# ipfw sh
00100 57 6148 allow tcp from 66.90.98.2 to any uid root
00110 0 0 allow tcp from 66.90.98.2 to any uid admin
00210 76 4560 allow tcp from any to 66.90.98.2
65535 343883 152658276 allow ip from any to any
As you can see without the deny ssh is getting through on the uid root
rule,
When we add the deny rule;
uneix# ipfw sh
00100 57 6148 allow tcp from 66.90.98.2 to any uid root
00110 0 0 allow tcp from 66.90.98.2 to any uid admin
00210 83 4880 allow tcp from any to 66.90.98.2
00310 5 220 deny tcp from 66.90.98.2 to any
65535 344754 152866998 allow ip from any to any
Lets see what the logs say by implementing the following rules,
uneix# ipfw sh
00100 0 0 allow log tcp from 66.90.98.2 to any uid root
00200 0 0 allow log tcp from 66.90.98.2 to any uid admin
00300 6 288 allow tcp from any to 66.90.98.2
00400 6 264 deny log tcp from 66.90.98.2 to any
65535 346401 153038817 allow ip from any to any
Mar 27 10:37:18 uneix /kernel: ipfw: 400 Deny TCP 66.90.98.2:22
81.128.227.64:22802 out via fxp0
Mar 27 10:37:27 uneix last message repeated 2 times
Mar 27 10:38:19 uneix /kernel: ipfw: 400 Deny TCP 66.90.98.2:80
81.128.227.64:22803 out via fxp0
Mar 27 10:38:28 uneix last message repeated 2 times
Just shows that all packets are being denied.
When the uid is taken out,
uneix# ipfw sh
00100 59 3620 allow tcp from any to 66.90.98.2
00200 40 5196 allow log tcp from 66.90.98.2 to any
00300 0 0 deny log tcp from 66.90.98.2 to any
65535 347770 153146748 allow ip from any to any
Mar 27 10:41:33 uneix /kernel: ipfw: 200 Accept TCP 66.90.98.2:22
81.128.227.64:22804 out via fxp0
Mar 27 10:41:51 uneix last message repeated 39 times
The packets are accepted.
Here is the ssh socket showing it owned by root;
sshd 4722 root 5u IPv4 0xdcd94940 0t0 TCP
66.90.98.2:ssh->host81-128-227-64.inaddr.btopenworld.com:22804
(ESTABLISHED)
Grant
More information about the freebsd-bugs
mailing list