From owner-freebsd-stable  Thu Jan 18 19:50:13 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from tomts8-srv.bellnexxia.net (tomts8.bellnexxia.net [209.226.175.52])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6C80937B400; Thu, 18 Jan 2001 19:49:51 -0800 (PST)
Received: from otterhole.yi.org ([64.229.134.175])
          by tomts8-srv.bellnexxia.net
          (InterMail vM.4.01.03.00 201-229-121) with ESMTP
          id <20010119034950.JQLU9281.tomts8-srv.bellnexxia.net@otterhole.yi.org>;
          Thu, 18 Jan 2001 22:49:50 -0500
Received: (from morewood@localhost)
	by otterhole.yi.org (8.11.1/8.9.3) id f0J3nnR01417;
	Thu, 18 Jan 2001 22:49:49 -0500 (EST)
	(envelope-from morewood)
From: Al <morewood@otterhole.yi.org>
Message-Id: <200101190349.f0J3nnR01417@otterhole.yi.org>
Subject: Re: FreeBSD port: nmap-5-32 under 4.2-STABLE, No route to host -> IPFilter
 keep state problem
In-Reply-To: <20010119025750.V30538@hand.dotat.at> from Tony Finch at "Jan 19,
 2001 02:57:50 am"
To: Tony Finch <dot@dotat.at>
Date: Thu, 18 Jan 2001 22:49:49 -0500 (EST)
Cc: obrien@freebsd.org, ports@freebsd.org, stable@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL68 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


> Al <morewood@otterhole.yi.org> wrote:
> >
> >One difference between a ktrace of root/no root is that the root
> >version has this in the trace:
> >
> > 10128 nmap     CALL  open(0x8066f2c,0,0x1b6)
> > 10128 nmap     NAMI  "/proc/net/route"
> > 10128 nmap     RET   open -1 errno 2 No such file or directory
> >
> >But the non-root version has no /proc/net call.  I do not see any
> >reference to /proc/net/ anywhere.
> 
> /proc/net/route is a linuxism so I guess the linuxulator is causing
> trouble. Is your PATH different for root and non-root? What does
> `which nmap` say for each user?

I'm betting that linux emulation is not the problem.  I do not
have COMPAT_LINUX in the kernel, nor do I have a kld module for
linux loaded.

The paths are not the problem, as after I built the kernel I
build a new version of nmap, and ran it as root and not root
from /usr/ports/security/nmap/work/nmap-2.53/ as ./nmap for
both root and non root.

Somebody else suggested it could be a firewall problem,
and he is correct.  I also have IPFilter installed, and I looked
at a tcpdump of the problem shows that an echo request was getting
out of my the box, but no echo reply.  Replacing my IPFilter rules with
"any any" allows nmap to work again.  The IPFilter rules used to work just
fine.

My IPFilter rules include:
  pass out quick proto icmp from any to any keep state
all the rules use quick, and no preceeding rules deny traffic.
It looks like the keep state function on IPFilter is broken?
I also changed the IPfilter default to deny traffic, may that
broke something?  I will test some more.


Thanks for the help,
al

> 
> Tony.
> -- 
> f.a.n.finch    fanf@covalent.net    dot@dotat.at
> "Then they attacked a town. A small town, I'll admit.
> But nevertheless a town of people. People who died."
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message