Date: Tue, 23 Mar 1999 15:32:07 +0200 (EET) From: Ruslan Ermilov <ru@ucb.crimea.ua> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/10747: ipfirewall `deny' rules act as `reject' for `out' packets Message-ID: <199903231332.PAA51137@relay.ucb.crimea.ua>
next in thread | raw e-mail | index | archive | help
>Number: 10747 >Category: kern >Synopsis: ipfirewall `deny' rules act as `reject' for `out' packets >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 23 05:40:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: Ruslan Ermilov >Release: FreeBSD 3.1-STABLE i386 >Organization: United Commercial Bank >Environment: options IPFIREWALL >Description: When a packet matches `deny' rule, it is assumed to be silently dropped, and no further notification should be sent. Under some circumstances, router will send ICMP host-unreachable message back to the originator. It's only seen when matching outgoing packets. The problem is how ip_forward(), ip_output() and ip_fw_chk() interact. Assume we have the following rules: 00100 deny ip from any to 1.2.3.4 out 00200 allow ip from any to any Host x.x.x.x sends IP packet to host 1.2.3.4 via this router. On the router: 1. ip_input() calls ip_fw_chk(IN) 2. ip_fw_chk() matches the packet with rule 200 2. ip_input() decides to forward the packet and calls ip_forward() 3. ip_forward() calls ip_output() 4. ip_output() calls ip_fw_chk(OUT) 5. ip_fw_chk() matches the packet with rule 100 and sets `m' to NULL 6. ip_output() returns EACCES 7. ip_forward() calls icmp_error(.., ICMP_UNREACH, ICMP_UNREACH_HOST, ...) Moreover, if you have the following rules: 00100 unreach <code> ip from any to 1.2.3.4 out 00200 allow ip from any to any the router will send 2 ICMP unreachable messages in reply to the packet. First (with the code <code>) will be sent from ip_fw_chk(). Then ip_forward() will send ICMP host-unreachable. See `how-to-repeat'. >How-To-Repeat: router[192.168.1.1]# ipfw l 00100 unreach filter-prohib ip from any to 1.2.3.4 out 00200 allow ip from any to any host[192.168.1.13]# ping -c1 1.2.3.4 router[192.168.1.1]# tcpdump -t -n -v icmp tcpdump: listening on fxp0 192.168.1.13 > 1.2.3.4: icmp: echo request (ttl 32, id 21565) 192.168.1.1 > 192.168.1.13: icmp: host 1.2.3.4 unreachable - admin prohibited filter (ttl 255, id 17780) 192.168.1.1 > 192.168.1.13: icmp: host 1.2.3.4 unreachable (ttl 255, id 17781) Take the note of the `id' fields of last two packets. >Fix: No easy fix comes to my mind, sorry. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903231332.PAA51137>