misc/64694: UID/GID matching in ipfw non-functional

Grant Millar Co0lkizz at btinternet.com
Sat Mar 27 02:50:17 PST 2004


The following reply was made to PR misc/64694; it has been noted by GNATS.

From: "Grant Millar" <Co0lkizz at btinternet.com>
To: <freebsd-gnats-submit at FreeBSD.org>, <co0lkizz at btinternet.com>
Cc:  
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Sat, 27 Mar 2004 10:46:10 -0000

 Also to test this further the following rules were implemented;
 
 uneix# ipfw sh
 00100     57      6148 allow tcp from 66.90.98.2 to any uid root
 00110      0         0 allow tcp from 66.90.98.2 to any uid admin
 00210     76      4560 allow tcp from any to 66.90.98.2
 65535 343883 152658276 allow ip from any to any
 
 As you can see without the deny ssh is getting through on the uid root
 rule,
 
 When we add the deny rule;
 
 uneix# ipfw sh
 00100     57      6148 allow tcp from 66.90.98.2 to any uid root
 00110      0         0 allow tcp from 66.90.98.2 to any uid admin
 00210     83      4880 allow tcp from any to 66.90.98.2
 00310      5       220 deny tcp from 66.90.98.2 to any
 65535 344754 152866998 allow ip from any to any
 
 Lets see what the logs say by implementing the following rules,
 uneix# ipfw sh
 00100      0         0 allow log tcp from 66.90.98.2 to any uid root
 00200      0         0 allow log tcp from 66.90.98.2 to any uid admin
 00300      6       288 allow tcp from any to 66.90.98.2
 00400      6       264 deny log tcp from 66.90.98.2 to any
 65535 346401 153038817 allow ip from any to any
 
 Mar 27 10:37:18 uneix /kernel: ipfw: 400 Deny TCP 66.90.98.2:22
 81.128.227.64:22802 out via fxp0
 Mar 27 10:37:27 uneix last message repeated 2 times
 Mar 27 10:38:19 uneix /kernel: ipfw: 400 Deny TCP 66.90.98.2:80
 81.128.227.64:22803 out via fxp0
 Mar 27 10:38:28 uneix last message repeated 2 times
 
 Just shows that all packets are being denied.
 
 When the uid is taken out,
 uneix# ipfw sh
 00100     59      3620 allow tcp from any to 66.90.98.2
 00200     40      5196 allow log tcp from 66.90.98.2 to any
 00300      0         0 deny log tcp from 66.90.98.2 to any
 65535 347770 153146748 allow ip from any to any
 
 Mar 27 10:41:33 uneix /kernel: ipfw: 200 Accept TCP 66.90.98.2:22
 81.128.227.64:22804 out via fxp0
 Mar 27 10:41:51 uneix last message repeated 39 times
 
 The packets are accepted.
 
 Here is the ssh socket showing it owned by root;
 sshd     4722  root    5u  IPv4 0xdcd94940      0t0  TCP
 66.90.98.2:ssh->host81-128-227-64.inaddr.btopenworld.com:22804
 (ESTABLISHED)
 
 Grant
 


More information about the freebsd-bugs mailing list