Date: Wed, 4 Oct 2000 08:24:56 +0200 (CEST) From: bdluevel@heitec.net To: FreeBSD-gnats-submit@freebsd.org Subject: bin/21742: 'ipfw add' does not check the protocol name Message-ID: <200010040624.e946OuW00627@ heitec.net>
next in thread | raw e-mail | index | archive | help
>Number: 21742 >Category: bin >Synopsis: 'ipfw add' does not check the protocol name >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 03 23:30:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Bernd Luevelsmeyer >Release: FreeBSD 4.1.1-STABLE i386 >Organization: Heitec AG >Environment: FreeBSD 4.1.1-STABLE #5: Mon Oct 2 00:14:43 CEST 2000 >Description: If you add a IPFW rule to pass TCP traffic to port 'echo', then port 4 will be allowed instead of port 7; apparently, because there's an 'echo' with port 4 in /etc/services. That's only protocol 'ddp' though, hence I assume 'ipfw add' does not check the protocol if looking up port names. >How-To-Repeat: #ipfw list 00100 allow ip from any to any 65535 deny ip from any to any #ipfw add pass tcp from any to any echo 00000 allow tcp from any to any 4 #ipfw list 00100 allow ip from any to any 00200 allow tcp from any to any 4 65535 deny ip from any to any #grep echo /etc/services echo 4/ddp #AppleTalk Echo Protocol echo 7/tcp echo 7/udp at-echo 204/tcp #AppleTalk Echo at-echo 204/udp #AppleTalk Echo >Fix: Workaround: use port numbers only when specifying firewall rules, not port names. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010040624.e946OuW00627>