Date: Wed, 12 Mar 2003 23:51:18 +1000 From: Mikhalych <root@vlad.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/49959: ipfw tee port rule skips parsing next rules Message-ID: <E18t6da-000FW3-00@vlad.ru>
next in thread | raw e-mail | index | archive | help
>Number: 49959 >Category: bin >Synopsis: ipfw tee port rule skips parsing next rules >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 12 06:00:17 PST 2003 >Closed-Date: >Last-Modified: >Originator: Sergey Mikhalych >Release: FreeBSD 4.7-RELEASE i386 >Organization: OAO Dalsvyaz >Environment: System: FreeBSD mail.vlad.ru 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Sun Nov 24 01:13:21 VLAT 2002 mich@relay.vlad.ru:/usr/src/sys/compile/MAIL i386 >Description: For a traffic count I can copy all packets coming to my network interface xl0 with `ipfw tee` option to some port, for example 8888, after this rule all this packets must be pass next ipfw rules (like `ipfw count` option). Problem: `ipfw tee port` option brakes this order, packets is marked as accepted by rule (like `ipfw allow` option). Example: 00001 143 22387 tee 8888 ip from any to any in recv xl0 00002 120 30373 tee 8888 ip from any to any out xmit xl0 00100 0 0 allow tcp from 212.107.192.0/19 to 212.107.200.82 22 00110 0 0 allow tcp from 212.107.200.82 22 to 212.107.192.0/19 00200 0 0 reset tcp from any to 212.107.200.82 22 00300 0 0 reset tcp from any to 212.107.200.80/28 113 00500 0 0 reset tcp from any to 212.107.200.82 3306 00501 0 0 reset tcp from any to 212.107.200.83 3306 65535 258 35124 allow ip from any to any Telnet to denied 22, 113, 3306 ports is acceptable! Using ipfw tee is unsecure :( >How-To-Repeat: You can try add `tee port` option before any of your rules. >Fix: Add reset/deny rules BEFORE tee option, but this dropped packets will be lost for accounting/copy by tee. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E18t6da-000FW3-00>