Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 16 Nov 2008 05:07:18 GMT
From:      Jin Guojun <jguojun@gmail.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/128902: ipfw allow tcp from any to any established allow Sync pass through
Message-ID:  <200811160507.mAG57Iod072650@www.freebsd.org>
Resent-Message-ID: <200811160510.mAG5A1sq058762@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         128902
>Category:       kern
>Synopsis:       ipfw allow tcp from any to any established allow Sync pass through
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 16 05:10:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Jin Guojun
>Release:        RELEASE 6.3
>Organization:
>Environment:
FreeBSD Belkin 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Fri Oct 31 00:25:31 PDT 2008     root@Belkin:/usr/src/sys/i386/compile/Firewall  i386
>Description:
According to ipfw rule, the tcp established rule should allow only connected TCP traffic pass through. Non established TCP traffic (Sync packet) should not allowed to pass by this rule. However, this seems failing in RELEASED 6.3 (it seems working before as we used this rule for long time). The following rule set order should cut tcp connecting traffic from those 4 IP addresses, but it failed to do so.

00330 3108378 2700826874 allow tcp from any to any established
00361       0          0 deny ip from 203.83.248.93 to any
00361       0          0 deny ip from 72.30.142.215 to any
00567       0          0 deny ip from 193.200.241.171 to any
00567       0          0 deny ip from 221.192.199.36 to any
65535       2        120 deny ip from any to any


>How-To-Repeat:
221.192.199.36 is a malicious site that probes computer holes around the whole world  in period of every one half hour.
Set ipfw rule described in Full description and Listen on TCP port 80 to see TCP connection coming through.

If you have a outside IP (say XIP), you can set it in rule set 00555 for
00555 deny ip from XIP to any
and listen on a TCP port (say 12345) on local host, then send TCP traffic from XIP host to your local host TCP port 12345, and watch the traffic is passing through.
>Fix:
Have no looked into code yet, but by guessing, the ipfw did not take care the Sync case for established TCP rule, or it is bypassed or overwritten by other rules.

>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200811160507.mAG57Iod072650>