Date: Tue, 2 Jul 2002 03:46:15 -0700 (PDT) From: Bill Purvis <wp@High-Availability.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/40108: IP Firewall code doesn't behave as expected Message-ID: <200207021046.g62AkF4J044326@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 40108
>Category: kern
>Synopsis: IP Firewall code doesn't behave as expected
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 02 03:50:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Bill Purvis
>Release: 4.6
>Organization:
High-Availability.Com
>Environment:
>Description:
I have been asked to test one of our products under FreeBsd involving
monitoring behaviour of a firewall. I have no previous experience with
FreeBsd, but extensive experience with other Unixes, particularly Linux.
I installed 4.6 on a PC and tried to set up a firewall. This seemed OK
but I noticed that when I set up a rule to deny access to a remote
machine, the behaviour was not what I see on other Unixes. I had
requested the firewall to "drop" the packets, but I received an
immediate error response, which caused the monitor program to misinterpret the test. Other systems simply drop the packet and return
no error indication. The monitor program expects the request to time out and gets upset if this is not the case. I then looked at the
source code (netinet/ip_output.c) and noted that when the firewall
returns a "drop" indication, the code sets error = EACCESS; before
dropping the packet and exiting. I patched this out and the system
now behaves in the manner I expect.
I read through the man pages for "ipfw" (several times) and feel that
the wording gives the impression that the behaviour does not match
that in the man page. I dislike the statement that "drop" and "deny"
are synonyms - I would be quite happy with the current behaviour if
I used "deny", but expect "drop" to do so without error return.
>How-To-Repeat:
1) set up a "drop" rule using ipfw to a specific remote machine.
2) attempt to telnet/ping/??? to that remote machine.
3) note the error message returned.
>Fix:
Remove the statement
error = EACCESS
from ip_output.c (just following the firewall call)
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207021046.g62AkF4J044326>