Date: Sat, 27 Jan 2001 08:14:32 -0800 From: Ron 'The InSaNe One' Rosson <insane@lunatic.oneinsane.net> To: freebsd-stable@freebsd.org Subject: Re: IPFilter will not allow traceroute anymore Message-ID: <20010127081431.B83055@lunatic.oneinsane.net> In-Reply-To: <20010127075959.A83055@lunatic.oneinsane.net>; from insane@lunatic.oneinsane.net on Sat, Jan 27, 2001 at 07:59:59AM -0800 References: <20010127075959.A83055@lunatic.oneinsane.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Ron 'The InSaNe One' Rosson (insane@lunatic.oneinsane.net) wrote: > On 01/23/2001 there was a change made to IPFilters ip_state.c file. The > change for some reason has cuased tracerouting to stop working when > using the following ruleset: > > # Ruleset taken from http://www.obfuscation.org/ipf/ipf-howto.txt > # Section 7.1 > > pass in quick on lo0 all > pass out quick on lo0 all > > block in log all > block out all > > # This allows for AUTH > pass in quick proto tcp from any to any port = 113 flags S/SA keep state > > #This allows for FTP > pass in quick proto tcp from any port = 20 to any port 39999 >< 45000 > flags S/SA > keep state > > pass out quick proto icmp from any to any keep state > pass out quick proto tcp/udp from any to any keep state keep frags > > The earlier version of this file had the same problem as well but there > was a patch available that I have been using. With the changes made to > the ip_state.c file this patch no longer applies cleanly. I will attach > the patch as an attatchment to this email. > > If I should turn this into a send-pr Just say the word and it will done. > > TIA > > P.S. An admin who misses his traceroute ;-) Damn.... Forgot to attatch the dan file -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ You can be replaced by a machine that flushes. --9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="icmp.patch" Index: ip_state.c =================================================================== RCS file: /home/freebsd/CVS/src/sys/netinet/ip_state.c,v retrieving revision 1.13.2.3 diff -u -u -w -r1.13.2.3 ip_state.c --- ip_state.c 2000/07/19 23:27:55 1.13.2.3 +++ ip_state.c 2000/07/29 10:44:21 @@ -1000,6 +1000,12 @@ if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) return NULL; + /* in the IPv4 case we must zero the i6addr union otherwise + the IP6EQ and IP6NEQ macros produce the wrong results because + of the 'junk' in the unused part of the union */ + bzero(&src, sizeof(src)); + bzero(&dst, sizeof(dst)); + if (oip->ip_p == IPPROTO_ICMP) { icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2)); @@ -1029,6 +1035,7 @@ hv %= fr_statesize; oip->ip_len = ntohs(oip->ip_len); + ofin.fin_v = 4; fr_makefrip(oip->ip_hl << 2, oip, &ofin); oip->ip_len = htons(oip->ip_len); ofin.fin_ifp = fin->fin_ifp; @@ -1078,6 +1085,7 @@ */ savelen = oip->ip_len; oip->ip_len = ip->ip_len - (ip->ip_hl << 2) - ICMPERR_ICMPHLEN; + ofin.fin_v = 4; /* without this fr_makefrip gets very confused */ fr_makefrip(oip->ip_hl << 2, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; @@ -1579,6 +1587,7 @@ hv %= fr_statesize; oip->ip6_plen = ntohs(oip->ip6_plen); + ofin.fin_v = 6; fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin); oip->ip6_plen = htons(oip->ip6_plen); ofin.fin_ifp = fin->fin_ifp; --9amGYk9869ThD9tj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010127081431.B83055>