Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 Oct 2002 02:44:08 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        Cristiano Deana <deana@bmm.it>
Cc:        ipfw@FreeBSD.ORG
Subject:   Re: ipfw2.
Message-ID:  <20021024024408.A52106@carp.icir.org>
In-Reply-To: <200210240951.06541@freecris>; from deana@bmm.it on Thu, Oct 24, 2002 at 09:57:45AM +0200
References:  <200210240951.06541@freecris>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
There is a bug in the rule for matching sets, i swapped src and
dst addresses...
Fix is below, i am going to commit it soon.

thanks for the report

	luigi

Index: ip_fw2.c
===================================================================
RCS file: /home/iguana/u2/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.6.2.3
diff -u -r1.6.2.3 ip_fw2.c
--- ip_fw2.c    21 Aug 2002 05:34:07 -0000      1.6.2.3
+++ ip_fw2.c    24 Oct 2002 09:38:28 -0000
@@ -1604,8 +1604,8 @@
                                        u_int32_t *d = (u_int32_t *)(cmd+1);
                                        u_int32_t addr =
                                            cmd->opcode == O_IP_DST_SET ?
-                                               args->f_id.src_ip :
-                                               args->f_id.dst_ip;
+                                               args->f_id.dst_ip :
+                                               args->f_id.src_ip;
 
                                            if (addr < d[0])
                                                    break;


On Thu, Oct 24, 2002 at 09:57:45AM +0200, Cristiano Deana wrote:
> What am I missing?
> 
> # uname -sv
> FreeBSD FreeBSD 4.7-STABLE #14: Fri Oct 18 15:04:59 CEST 2002
> 
> # dmesg | grep ipfw
> ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to 
> deny, logging limited to 100 packets/entry by default
> 
> # ifconfig xl0 | grep inet
>         inet 213.144.77.133 netmask 0xffffff80 broadcast 213.144.77.255
> 
> # ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 10000 allow log icmp from 213.144.77.0/24{199,200,201} to 213.144.77.133
> 11000 deny log icmp from any to 213.144.77.133
> 65000 allow ip from any to any
> 65535 deny ip from any to any
> 
> # pinging from 213.144.77.200 to 213.144.77.133
> 
> # tail /var/log/security
> Oct 24 09:38:58 freecris /kernel: ipfw: 11000 Deny ICMP:8.0 213.144.77.200 
> 213.144.77.133 in via xl0
> Oct 24 09:39:12 freecris last message repeated 2 times
> 
> # ipfw show | grep icmp
> 10000          0          0 allow log icmp from 213.144.77.0/24{199,200,201} 
> to 213.144.77.133
> 11000         33       2772 deny log icmp from any to 213.144.77.133
> 
> I think i'm missing some basic rule.
> Why icmp packets coming from 213.144.77.200 didn't match rules #10000?
> 
> Thanks in advance,
> cris.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20021024024408.A52106>