From owner-freebsd-bugs  Tue Oct  3 23:30: 6 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0F60137B66C
	for <freebsd-bugs@FreeBSD.org>; Tue,  3 Oct 2000 23:30:01 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id XAA11143;
	Tue, 3 Oct 2000 23:30:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from heitec.net (paladin.heitec.net [193.101.232.30])
	by hub.freebsd.org (Postfix) with ESMTP id 7513937B503
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  3 Oct 2000 23:24:46 -0700 (PDT)
Received: (from root@localhost)
	by  heitec.net (8.11.0/8.11.0) id e946OuW00627;
	Wed, 4 Oct 2000 08:24:56 +0200 (CEST)
	(envelope-from bernd)
Message-Id: <200010040624.e946OuW00627@ heitec.net>
Date: Wed, 4 Oct 2000 08:24:56 +0200 (CEST)
From: bdluevel@heitec.net
Reply-To: bdluevel@heitec.net
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/21742: 'ipfw add' does not check the protocol name
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         21742
>Category:       bin
>Synopsis:       'ipfw add' does not check the protocol name
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 03 23:30:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Bernd Luevelsmeyer
>Release:        FreeBSD 4.1.1-STABLE i386
>Organization:
Heitec AG
>Environment:

    FreeBSD 4.1.1-STABLE #5: Mon Oct  2 00:14:43 CEST 2000

>Description:

	If you add a IPFW rule to pass TCP traffic to port 'echo',
    then port 4 will be allowed instead of port 7; apparently,
    because there's an 'echo' with port 4 in /etc/services.
    That's only protocol 'ddp' though, hence I assume 'ipfw add'
    does not check the protocol if looking up port names.

>How-To-Repeat:

    #ipfw list
    00100 allow ip from any to any
    65535 deny ip from any to any
    #ipfw add pass tcp from any to any echo
    00000 allow tcp from any to any 4
    #ipfw list
    00100 allow ip from any to any
    00200 allow tcp from any to any 4
    65535 deny ip from any to any
    #grep echo /etc/services
    echo		  4/ddp	   #AppleTalk Echo Protocol
    echo		  7/tcp
    echo		  7/udp
    at-echo		204/tcp	   #AppleTalk Echo			
    at-echo		204/udp	   #AppleTalk Echo			

>Fix:

	Workaround: use port numbers only when specifying firewall
    rules, not port names.


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message