Date: Thu, 6 Jul 2000 12:21:56 +1000 (EST) From: radius@oznetcom.com.au To: FreeBSD-gnats-submit@freebsd.org Subject: kern/19722: FreeBSD box responds to broadcast IP Message-ID: <200007060221.MAA08187@resurrection.oznetcom.com.au>
next in thread | raw e-mail | index | archive | help
>Number: 19722 >Category: kern >Synopsis: FreeBSD box responds to broadcast IP >Confidential: yes >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 05 19:30:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: M P Hibbard >Release: FreeBSD 3.4-STABLE i386 >Organization: Davnet Telecommunications Pty Ltd >Environment: FreeBSD running as a gateway for between networks. Seems to work on tested versions from 3.4S (June 22), and recent 4.0S. In the situation described below, the test machine was running 4.0-STABLE with IPF, IPFW and DUMMYNET in the kernel. >Description: If FreeBSD is running as a gateway for between two networks, and packets from one network are travelling to the other network's broadcast address the FreeBSD gateway will intercept them and interpret them as if they were destined for itself. This could possibly allow an attacker to bypass firewall rules by sending packets to the broadcast address of a network being firewalled by a FreeBSD gateway - the FreeBSD gateway might allow the packets directly through to it as the firewall rules may not allow for this situation. >How-To-Repeat: FreeBSD box at 203.62.175.1, gateway on a dialup connection with the network 203.62.175.0/24 routed to it. From a network outside of 203.62.175.1, past the dialup gateway: radius@resurrection:~$ telnet 203.62.175.255 Trying 203.62.175.255... Connected to 203.62.175.255. Escape character is '^]'. FreeBSD/i386 (scythe.darktide.net) (ttyp0) login: We get a connection to the gateway box itself, 203.62.175.1. This has been tested with different packets, TCP/UDP/ICMP. ICMP seems a bit weird. A ping to 203.62.175.255 from inside the network 203.62.175.0/24 and the .1 machine will not respond, however, from outside it, ONLY .1 will respond even if other machines -would- have responded normally. This has also been tested on other network configurations with up to 7 network interfaces. It also seems to work regardless of whether IPFW has been compiled into the kernel. >Fix: none known >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007060221.MAA08187>