From owner-freebsd-bugs@FreeBSD.ORG  Sun Nov 16 05:10:01 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5F614106567B
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 16 Nov 2008 05:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 38F598FC18
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 16 Nov 2008 05:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAG5A1pY058763
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 16 Nov 2008 05:10:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAG5A1sq058762;
	Sun, 16 Nov 2008 05:10:01 GMT (envelope-from gnats)
Resent-Date: Sun, 16 Nov 2008 05:10:01 GMT
Resent-Message-Id: <200811160510.mAG5A1sq058762@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Jin Guojun <jguojun@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 052641065678
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sun, 16 Nov 2008 05:07:19 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id E53D88FC1D
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sun, 16 Nov 2008 05:07:18 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id mAG57IE2072651
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 16 Nov 2008 05:07:18 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id mAG57Iod072650;
	Sun, 16 Nov 2008 05:07:18 GMT (envelope-from nobody)
Message-Id: <200811160507.mAG57Iod072650@www.freebsd.org>
Date: Sun, 16 Nov 2008 05:07:18 GMT
From: Jin Guojun <jguojun@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/128902: ipfw allow tcp from any to any established allow Sync
	pass through
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Nov 2008 05:10:01 -0000


>Number:         128902
>Category:       kern
>Synopsis:       ipfw allow tcp from any to any established allow Sync pass through
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 16 05:10:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Jin Guojun
>Release:        RELEASE 6.3
>Organization:
>Environment:
FreeBSD Belkin 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Fri Oct 31 00:25:31 PDT 2008     root@Belkin:/usr/src/sys/i386/compile/Firewall  i386
>Description:
According to ipfw rule, the tcp established rule should allow only connected TCP traffic pass through. Non established TCP traffic (Sync packet) should not allowed to pass by this rule. However, this seems failing in RELEASED 6.3 (it seems working before as we used this rule for long time). The following rule set order should cut tcp connecting traffic from those 4 IP addresses, but it failed to do so.

00330 3108378 2700826874 allow tcp from any to any established
00361       0          0 deny ip from 203.83.248.93 to any
00361       0          0 deny ip from 72.30.142.215 to any
00567       0          0 deny ip from 193.200.241.171 to any
00567       0          0 deny ip from 221.192.199.36 to any
65535       2        120 deny ip from any to any


>How-To-Repeat:
221.192.199.36 is a malicious site that probes computer holes around the whole world  in period of every one half hour.
Set ipfw rule described in Full description and Listen on TCP port 80 to see TCP connection coming through.

If you have a outside IP (say XIP), you can set it in rule set 00555 for
00555 deny ip from XIP to any
and listen on a TCP port (say 12345) on local host, then send TCP traffic from XIP host to your local host TCP port 12345, and watch the traffic is passing through.
>Fix:
Have no looked into code yet, but by guessing, the ipfw did not take care the Sync case for established TCP rule, or it is bypassed or overwritten by other rules.

>Release-Note:
>Audit-Trail:
>Unformatted: