Fwd: amd64/97504: IPFW Rules bug

Astrodog astrodog at gmail.com
Sat May 20 09:15:48 PDT 2006 

---------- Forwarded message ----------
From: Astrodog <astrodog at gmail.com>
Date: May 20, 2006 10:10 AM
Subject: Re: amd64/97504: IPFW Rules bug
To: Marcelo Machado <marcelo_vt at hotmail.com>


On 5/19/06, Marcelo Machado <marcelo_vt at hotmail.com> wrote:
>
> >Number:         97504
> >Category:       amd64
> >Synopsis:       IPFW Rules bug
> >Confidential:   no
> >Severity:       serious
> >Priority:       medium
> >Responsible:    freebsd-amd64
> >State:          open
> >Quarter:
> >Keywords:
> >Date-Required:
> >Class:          sw-bug
> >Submitter-Id:   current-users
> >Arrival-Date:   Fri May 19 21:40:12 GMT 2006
> >Closed-Date:
> >Last-Modified:
> >Originator:     Marcelo Machado
> >Release:        6.0
> >Organization:
> Profit-ti
> >Environment:
> >Description:
> I've added the following rules to the ipfw.rules:
>
>
> ipfw add 100 allow all from 192.168.100.3 to 192.168.100.4
> ipfw add 110 allow all from 192.168.100.4 to 192.168.100.3
> ipfw add 65535 deny all from any to any
>
> With these rules the 192.168.100.3 should ping or interact with 192.168.100.4 normally, but don't. But if I add this line:
>
> ipfw add 1 allow all from any to any
>
> they talk each other normally, but the most problem comes next, if I:
>
> ipfw delete 1
>
> Everything begins to work as they should, only these IP's can talk with each other on the net.
>
> Thanks
> >How-To-Repeat:
>
> >Fix:
> if I add this line:
>
> ipfw add 1 allow all from any to any
>
> they talk each other normally, but the most problem comes next, if I:
>
> ipfw delete 1
>
> Everything begins to work as they should, only these IP's can talk with each other on the net.
> >Release-Note:
> >Audit-Trail:
> >Unformatted:
> _______________________________________________
> freebsd-amd64 at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-amd64
> To unsubscribe, send any mail to "freebsd-amd64-unsubscribe at freebsd.org"
>

There's a bit more to the two systems talking to each other, than the
point to point communication. ARP lookups, etc. If you allow all from
anip to anotherip, and allow all from anotherip to anip, you're still
denying everything to broadcast, for example.

As a side note, this isn't AMD64 related. :\

More information about the freebsd-amd64 mailing list