Uid keyword matches only on loopack interface
Wiktor Niesiobedzki
bsd at w.evip.pl
Sun Nov 16 13:39:33 PST 2003
On Thu, Nov 13, 2003 at 11:47:17AM +0100, Wiktor Niesiobedzki wrote:
> Hi,
>
> After setting my firewall I saw that only few packets match the uid keyword.
> >From my trival test came out that only loopack traffic can be matched. Is
> there some bug lying in here?
>
> The simple rule:
> 00395 0 0 count log tcp from any to any uid root
>
> Will match only:
> Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:80
> 127.0.0.1:50780 out via lo0
> Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780
> 127.0.0.1:80 in via lo0
> Nov 13 11:41:25 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780
> 127.0.0.1:80 out via lo0
>
> That kind of traffic. Any traffic going by other interface is not counted.
>
I may precise my problem.
As far as I checked, in check_uidgid() (line 1318 of ip_fw2.c) the
in_pcblookup_hash() returns NULL for almost every packet durring connection.
I ran quite a long time with a count rule, which showed that few thousand
packets matched the rule (during weekend, constant transfer about 10KB/s from
watched user). Packets had matched the rule adventitious.
Does anybody have any clues, how may i debug the problem further?
Cheers,
Wiktor Niesiobedzki
More information about the freebsd-ipfw
mailing list