From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 9 11:07:12 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CD290106566C for ; Mon, 9 Jul 2012 11:07:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B6B128FC1C for ; Mon, 9 Jul 2012 11:07:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q69B7CrV075455 for ; Mon, 9 Jul 2012 11:07:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q69B7CaD075453 for freebsd-ipfw@FreeBSD.org; Mon, 9 Jul 2012 11:07:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Jul 2012 11:07:12 GMT Message-Id: <201207091107.q69B7CaD075453@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 11:07:12 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o bin/65961 ipfw [ipfw] ipfw2 memory corruption inside add() o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 45 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 9 23:42:49 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 715C61065675 for ; Mon, 9 Jul 2012 23:42:49 +0000 (UTC) (envelope-from rg@progtech.net) Received: from webfw.progtech.net (fw1.progtech.net [195.226.167.243]) by mx1.freebsd.org (Postfix) with ESMTP id E5CFA8FC0C for ; Mon, 9 Jul 2012 23:42:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at progtech.net Received: from [127.0.0.1] (localhost [127.0.0.1]) by webfw.progtech.net (8.14.5/8.14.2) with ESMTP id q69NI4Nx041301 for ; Tue, 10 Jul 2012 01:18:04 +0200 (CEST) (envelope-from rg@progtech.net) Message-ID: <4FFB66AB.2020306@progtech.net> Date: Tue, 10 Jul 2012 01:18:03 +0200 From: Rolf Grossmann User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Equivalent of in_port and out_port with in-kernel nat? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 23:42:49 -0000 Hi, I've started switching my machines to in-kernel nat and I've run into a case where I need to tell the nat instance which packets to treat as incoming and which as outgoing. With natd I've been able to use divert with different ports and in_port and out_port options. The in-kernel nat however doesn't seem to have a method of specifying nat direction and instead always uses the information from the interface. My question is, am I missing something? Is there a patch I could try? Has the issue even come up before? Thanks, Rolf. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 10 12:12:48 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 2AFAB106566B for ; Tue, 10 Jul 2012 12:12:48 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from dhcp170-36-red.yandex.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with ESMTP id 463CC14E120; Tue, 10 Jul 2012 12:12:47 +0000 (UTC) Message-ID: <4FFC1BE8.6010205@FreeBSD.org> Date: Tue, 10 Jul 2012 16:11:20 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:12.0) Gecko/20120511 Thunderbird/12.0.1 MIME-Version: 1.0 To: Rolf Grossmann References: <4FFB66AB.2020306@progtech.net> In-Reply-To: <4FFB66AB.2020306@progtech.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Equivalent of in_port and out_port with in-kernel nat? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2012 12:12:48 -0000 On 10.07.2012 03:18, Rolf Grossmann wrote: > Hi, > > I've started switching my machines to in-kernel nat and I've run into a > case where I need to tell the nat instance which packets to treat as > incoming and which as outgoing. With natd I've been able to use divert > with different ports and in_port and out_port options. The in-kernel nat > however doesn't seem to have a method of specifying nat direction and > instead always uses the information from the interface. Not exactly. If we're talking about ipfw nat, situation is the following: ipfw nat module determines direction the following way: if outgoing interface exists (e.g. ipfw is called after routing decision is done, "out" case) then inside->outside translation is called ( LibAliasOut founction) otherwise outside->inside is called ( LibAliasIn). This behavior can be reverted by specifying 'reverse' keyword in nat configuration. Alternatively, you can specify in/out explicitly by using ng_nat with ng_ipfw. > > My question is, am I missing something? Is there a patch I could try? > Has the issue even come up before? > > Thanks, Rolf. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > -- WBR, Alexander From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 14 16:14:45 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1237C106566B; Sat, 14 Jul 2012 16:14:45 +0000 (UTC) (envelope-from crees@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D9C658FC0A; Sat, 14 Jul 2012 16:14:44 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6EGEiFh024143; Sat, 14 Jul 2012 16:14:44 GMT (envelope-from crees@freefall.freebsd.org) Received: (from crees@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6EGEi7P024139; Sat, 14 Jul 2012 16:14:44 GMT (envelope-from crees) Date: Sat, 14 Jul 2012 16:14:44 GMT Message-Id: <201207141614.q6EGEi7P024139@freefall.freebsd.org> To: crees@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: crees@FreeBSD.org Cc: Subject: Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2012 16:14:45 -0000 Synopsis: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: crees Responsible-Changed-When: Sat Jul 14 16:14:12 UTC 2012 Responsible-Changed-Why: Beg pardon-- forgot there was a mailing list http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 14 17:49:28 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C894D106566C; Sat, 14 Jul 2012 17:49:28 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 4CDCD8FC0A; Sat, 14 Jul 2012 17:49:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q6EHnJtA046403; Sun, 15 Jul 2012 03:49:20 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 15 Jul 2012 03:49:19 +1000 (EST) From: Ian Smith To: crees@freebsd.org In-Reply-To: <201207141614.q6EGEi7P024139@freefall.freebsd.org> Message-ID: <20120715025005.I74353@sola.nimnet.asn.au> References: <201207141614.q6EGEi7P024139@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, freebsd-bugs@freebsd.org Subject: Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2012 17:49:28 -0000 On Sat, 14 Jul 2012, crees@freebsd.org wrote: > http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 > Description > If user has tables used in /etc/ipfw.conf for example: > > table 1 add 64.6.108.239 > > then firewall restart: > > /etc/rc.d/ipfw start > > fails with: > Line 8: setsockopt(IP_FW_TABLE_ADD): File exists > Firewall rules loaded. > > and incomplete ruleset is loaded. This is serious security problem. > > How-To-Repeat > Fix > in /etc/rc.firewall > > after ${fwcmd} -f flush > you need to flush tables too with command > > ipfw table all flush Yes, to such a ruleset you'd need to add 'table all flush' too. ipfw flush specifically does not flush tables. I've long relied upon that, using mostly static tables only reloaded from a file saved hourly by cron, when $firewall_script finds tables are not loaded - ie at boot. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 14 17:59:56 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1A351065670; Sat, 14 Jul 2012 17:59:56 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id ECD738FC0A; Sat, 14 Jul 2012 17:59:55 +0000 (UTC) Received: by bkcje9 with SMTP id je9so4053185bkc.13 for ; Sat, 14 Jul 2012 10:59:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ajdfYuNlAwnqfbOkimablkifD95VjBLlyLt4aFheMWQ=; b=COpC9G2DQilMqKr+zNv9n7D4TNIbdLRcS4mGhoQJGQx7A5VEaaFYpkPAPNdmIGavWo /yWGZB95Yxk6TGa8HcP2X+tzM0fpCrZOxXeYgP5LeABlZbQ/fZcFgPso0/0oLOHHzjnw Ns2qaZ7Fy023yyM2SH6e5w/eQAKr4JgC6FCc4ONVC+HTj6Xg09d2+09VHyYox2jwebpb Ud8/EsJhjZCHcwAXaKXXgPmhEq7DCBMEHK7lcZRVfPRySHFvTcPviFrTbV5iRNxeXIVl QbUlCL8O51mU/5grpwShLLGXqFRqzi08VzsFhCqCLt36fq06+5+w2KInPV+Q5gFlflOJ Jegw== MIME-Version: 1.0 Received: by 10.204.152.27 with SMTP id e27mr2706832bkw.56.1342288794861; Sat, 14 Jul 2012 10:59:54 -0700 (PDT) Received: by 10.204.49.87 with HTTP; Sat, 14 Jul 2012 10:59:54 -0700 (PDT) Received: by 10.204.49.87 with HTTP; Sat, 14 Jul 2012 10:59:54 -0700 (PDT) In-Reply-To: <20120715025005.I74353@sola.nimnet.asn.au> References: <201207141614.q6EGEi7P024139@freefall.freebsd.org> <20120715025005.I74353@sola.nimnet.asn.au> Date: Sat, 14 Jul 2012 18:59:54 +0100 Message-ID: From: Chris Rees To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, freebsd-bugs@freebsd.org Subject: Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2012 17:59:56 -0000 On 14 Jul 2012 18:49, "Ian Smith" wrote: > > On Sat, 14 Jul 2012, crees@freebsd.org wrote: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 > > > Description > > If user has tables used in /etc/ipfw.conf for example: > > > > table 1 add 64.6.108.239 > > > > then firewall restart: > > > > /etc/rc.d/ipfw start > > > > fails with: > > Line 8: setsockopt(IP_FW_TABLE_ADD): File exists > > Firewall rules loaded. > > > > and incomplete ruleset is loaded. This is serious security problem. > > > > How-To-Repeat > > Fix > > in /etc/rc.firewall > > > > after ${fwcmd} -f flush > > you need to flush tables too with command > > > > ipfw table all flush > > Yes, to such a ruleset you'd need to add 'table all flush' too. > > ipfw flush specifically does not flush tables. I've long relied upon > that, using mostly static tables only reloaded from a file saved hourly > by cron, when $firewall_script finds tables are not loaded - ie at boot. Not A Bug then? Chris From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 14 18:51:42 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9586F1065672; Sat, 14 Jul 2012 18:51:42 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 184BF8FC19; Sat, 14 Jul 2012 18:51:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q6EIpeNC048485; Sun, 15 Jul 2012 04:51:40 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 15 Jul 2012 04:51:39 +1000 (EST) From: Ian Smith To: Chris Rees In-Reply-To: Message-ID: <20120715042336.H74353@sola.nimnet.asn.au> References: <201207141614.q6EGEi7P024139@freefall.freebsd.org> <20120715025005.I74353@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, freebsd-bugs@freebsd.org Subject: Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2012 18:51:42 -0000 On Sat, 14 Jul 2012 18:59:54 +0100, Chris Rees wrote: > On 14 Jul 2012 18:49, "Ian Smith" wrote: > > > > On Sat, 14 Jul 2012, crees@freebsd.org wrote: > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 [..] > > Yes, to such a ruleset you'd need to add 'table all flush' too. > > > > ipfw flush specifically does not flush tables. I've long relied upon > > that, using mostly static tables only reloaded from a file saved hourly > > by cron, when $firewall_script finds tables are not loaded - ie at boot. > > Not A Bug then? Not For Me at least, Chris. Maybe ipfw(8) isn't specific enough about flush? I can't speak for others, but don't think flushing all tables in rc.firewall useful when it's easy to include in your particular ruleset. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 14 21:03:36 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0C483106566B; Sat, 14 Jul 2012 21:03:36 +0000 (UTC) (envelope-from crees@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D3D338FC17; Sat, 14 Jul 2012 21:03:35 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6EL3ZbR059358; Sat, 14 Jul 2012 21:03:35 GMT (envelope-from crees@freefall.freebsd.org) Received: (from crees@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6EL3ZAN059354; Sat, 14 Jul 2012 21:03:35 GMT (envelope-from crees) Date: Sat, 14 Jul 2012 21:03:35 GMT Message-Id: <201207142103.q6EL3ZAN059354@freefall.freebsd.org> To: crees@FreeBSD.org, freebsd-ipfw@FreeBSD.org, secteam@FreeBSD.org From: crees@FreeBSD.org Cc: Subject: Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2012 21:03:36 -0000 Synopsis: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf Responsible-Changed-From-To: freebsd-ipfw->secteam Responsible-Changed-By: crees Responsible-Changed-When: Sat Jul 14 21:00:29 UTC 2012 Responsible-Changed-Why: Reassign as per request. http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 14 21:46:56 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B889106564A; Sat, 14 Jul 2012 21:46:56 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4E6C28FC12; Sat, 14 Jul 2012 21:46:56 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6ELkuUw065591; Sat, 14 Jul 2012 21:46:56 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6ELkuc3065587; Sat, 14 Jul 2012 21:46:56 GMT (envelope-from remko) Date: Sat, 14 Jul 2012 21:46:56 GMT Message-Id: <201207142146.q6ELkuc3065587@freefall.freebsd.org> To: remko@FreeBSD.org, secteam@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/165939: [ipw] bug: incomplete firewall rules loaded if tables are used in ipfw.conf X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2012 21:46:56 -0000 Old Synopsis: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf New Synopsis: [ipw] bug: incomplete firewall rules loaded if tables are used in ipfw.conf Responsible-Changed-From-To: secteam->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Sat Jul 14 21:46:10 UTC 2012 Responsible-Changed-Why: After consulting with the secteam members, it seems that this might indeed be a documentation issue or a bug. Assign it per example of crees to the IPFW team. http://www.freebsd.org/cgi/query-pr.cgi?pr=165939