Date: Thu, 30 Jan 1997 17:57:59 +0100 From: Gary Howland <gary@systemics.com> To: znek@object-factory.com (Marcus Mueller) Cc: freebsd-security@freebsd.org Subject: Re: ipfw trouble under FreeBSD 2.1.5 Message-ID: <199701301657.RAA23236@internal-mail.systemics.com> In-Reply-To: Your message of "30 Jan 1997 15:49:50 GMT." <5cqfuu$sqt@leonie.object-factory.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi, > > it seems that ipfw under FreeBSD 2.1.5 has a bug which leads to deny-rules > being applied to connections which should have been accepted before. > (That means a 65000 deny blah from blah to blah matches a connection which > should have been accepted by a 10000 allow blah from blah to blah). > In certain cases - though not deterministically - I have to flush the list > and then setup all rules again for the firewall to function properly. > In some cases this does not help, however. > > Is this problem known and solved under FreeBSD 2.1.6? Are you certain? Are you catering for fragmented packets? In other words, do you have a rule like this: # Allow all fragments /sbin/ipfw add pass ip from any to any frag BTW - my security skills are currently for hire, preferably in Europe :-) Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701301657.RAA23236>