From owner-freebsd-security Thu Jan 30 08:58:16 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA18966 for security-outgoing; Thu, 30 Jan 1997 08:58:16 -0800 (PST) Received: from smokey.systemics.com (smokey.systemics.com [193.67.124.65]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id IAA18961 for ; Thu, 30 Jan 1997 08:58:12 -0800 (PST) Received: from internal-mail.systemics.com (cunAg+AZjsjCG0k13y/vO6fdTv2hgkbY@internal-mail.systemics.com [193.67.124.74]) by smokey.systemics.com (8.6.12/8.6.12) with ESMTP id RAA07545; Thu, 30 Jan 1997 17:58:34 +0100 Received: from localhost (localhost [127.0.0.1]) by internal-mail.systemics.com with SMTPid RAA23236; Thu, 30 Jan 1997 17:57:59 +0100 (MET) Message-Id: <199701301657.RAA23236@internal-mail.systemics.com> X-Authentication-Warning: kampai.systemics.com: Host localhost [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.9 8/22/96 To: znek@object-factory.com (Marcus Mueller) cc: freebsd-security@freebsd.org Subject: Re: ipfw trouble under FreeBSD 2.1.5 In-reply-to: Your message of "30 Jan 1997 15:49:50 GMT." <5cqfuu$sqt@leonie.object-factory.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Jan 1997 17:57:59 +0100 From: Gary Howland Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Hi, > > it seems that ipfw under FreeBSD 2.1.5 has a bug which leads to deny-rules > being applied to connections which should have been accepted before. > (That means a 65000 deny blah from blah to blah matches a connection which > should have been accepted by a 10000 allow blah from blah to blah). > In certain cases - though not deterministically - I have to flush the list > and then setup all rules again for the firewall to function properly. > In some cases this does not help, however. > > Is this problem known and solved under FreeBSD 2.1.6? Are you certain? Are you catering for fragmented packets? In other words, do you have a rule like this: # Allow all fragments /sbin/ipfw add pass ip from any to any frag BTW - my security skills are currently for hire, preferably in Europe :-) Gary