From owner-freebsd-ipfw@FreeBSD.ORG  Mon Apr  5 06:02:01 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 49D0316A4CE
	for <freebsd-ipfw@freebsd.org>; Mon,  5 Apr 2004 06:02:01 -0700 (PDT)
Received: from uranium.btinternet.com (uranium.btinternet.com [194.73.73.89])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0147243D5D
	for <freebsd-ipfw@freebsd.org>; Mon,  5 Apr 2004 06:02:01 -0700 (PDT)
	(envelope-from Co0lkizz@btinternet.com)
Received: from [81.129.116.242] (helo=B77)
	by uranium.btinternet.com with esmtp (Exim 3.22 #25)
	id 1BATjj-0006MP-00
	for freebsd-ipfw@freebsd.org; Mon, 05 Apr 2004 14:01:59 +0100
From: "Grant Millar" <Co0lkizz@btinternet.com>
To: <freebsd-ipfw@freebsd.org>
Date: Mon, 5 Apr 2004 14:02:05 +0100
Message-ID: <000801c41b0e$326c0a90$0300a8c0@B77>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: FW: misc/64694: UID/GID matching in ipfw non-functional
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2004 13:02:01 -0000

I understand this but it should not mean that uid matching should not
work 
for ALL sockets am I correct. This all started by a friend of mine
entering 
exactly the same rules in my rule set as his and it not working he too
was 
using 4.9 Release and we compiled our kernels with exactly the same
options
this is what lead me the submit this as a bug. I mean why even implement
uid
matching if it does not work...

Another example, I setup an ircd on the IP 66.90.x.236 on the uid admin
and add the following rules to ipfw,

01600  21092  1981319 allow ip from any to 66.90.x.236 in
01700     90    10033 allow ip from 66.90.x.236 to any out via fxp0 uid
admin
01800    144    13517 deny ip from 66.90.x.236 to any

The 90 packets being accepted were from just before I added the deny
rule
after adding the deny rule all packets were dropped.

Does anyone agree that this is a problem?

Grant