Date: Sat, 27 Jan 2001 08:23:30 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Ron Rosson <insane@lunatic.oneinsane.net> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: IPFilter will not allow traceroute anymore Message-ID: <200101271624.f0RGO0c57680@cwsys.cwsent.com> In-Reply-To: Your message of "Sat, 27 Jan 2001 08:14:32 PST." <20010127081431.B83055@lunatic.oneinsane.net>
next in thread | previous in thread | raw e-mail | index | archive | help
You're probably better of installing IPF 3.4.16. There have been many bugfixes and improvements since 3.4.8 (version of IPF packaged with FreeBSD-STABLE). Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC In message <20010127081431.B83055@lunatic.oneinsane.net>, "Ron 'The InSaNe One' Rosson" writes: > > --9amGYk9869ThD9tj > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > > Ron 'The InSaNe One' Rosson (insane@lunatic.oneinsane.net) wrote: > > On 01/23/2001 there was a change made to IPFilters ip_state.c file. The > > change for some reason has cuased tracerouting to stop working when > > using the following ruleset: > > > > # Ruleset taken from http://www.obfuscation.org/ipf/ipf-howto.txt > > # Section 7.1 > > > > pass in quick on lo0 all > > pass out quick on lo0 all > > > > block in log all > > block out all > > > > # This allows for AUTH > > pass in quick proto tcp from any to any port = 113 flags S/SA keep state > > > > #This allows for FTP > > pass in quick proto tcp from any port = 20 to any port 39999 >< 45000 > > flags S/SA > > keep state > > > > pass out quick proto icmp from any to any keep state > > pass out quick proto tcp/udp from any to any keep state keep frags > > > > The earlier version of this file had the same problem as well but there > > was a patch available that I have been using. With the changes made to > > the ip_state.c file this patch no longer applies cleanly. I will attach > > the patch as an attatchment to this email. > > > > If I should turn this into a send-pr Just say the word and it will done. > > > > TIA > > > > P.S. An admin who misses his traceroute ;-) > > > Damn.... Forgot to attatch the dan file > -- > ----------------------------------------------------------------------------- > - > Ron Rosson ... and a UNIX user said ... > The InSaNe One rm -rf * > insane@oneinsane.net and all was /dev/null and *void() > ----------------------------------------------------------------------------- > - > You can be replaced by a machine that flushes. > > --9amGYk9869ThD9tj > Content-Type: text/plain; charset=us-ascii > Content-Disposition: attachment; filename="icmp.patch" > > Index: ip_state.c > =================================================================== > RCS file: /home/freebsd/CVS/src/sys/netinet/ip_state.c,v > retrieving revision 1.13.2.3 > diff -u -u -w -r1.13.2.3 ip_state.c > --- ip_state.c 2000/07/19 23:27:55 1.13.2.3 > +++ ip_state.c 2000/07/29 10:44:21 > @@ -1000,6 +1000,12 @@ > if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) > return NULL; > > + /* in the IPv4 case we must zero the i6addr union otherwise > + the IP6EQ and IP6NEQ macros produce the wrong results because > + of the 'junk' in the unused part of the union */ > + bzero(&src, sizeof(src)); > + bzero(&dst, sizeof(dst)); > + > if (oip->ip_p == IPPROTO_ICMP) { > icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2)); > > @@ -1029,6 +1035,7 @@ > hv %= fr_statesize; > > oip->ip_len = ntohs(oip->ip_len); > + ofin.fin_v = 4; > fr_makefrip(oip->ip_hl << 2, oip, &ofin); > oip->ip_len = htons(oip->ip_len); > ofin.fin_ifp = fin->fin_ifp; > @@ -1078,6 +1085,7 @@ > */ > savelen = oip->ip_len; > oip->ip_len = ip->ip_len - (ip->ip_hl << 2) - ICMPERR_ICMPHLEN; > + ofin.fin_v = 4; /* without this fr_makefrip gets very confused */ > fr_makefrip(oip->ip_hl << 2, oip, &ofin); > oip->ip_len = savelen; > ofin.fin_ifp = fin->fin_ifp; > @@ -1579,6 +1587,7 @@ > hv %= fr_statesize; > > oip->ip6_plen = ntohs(oip->ip6_plen); > + ofin.fin_v = 6; > fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin); > oip->ip6_plen = htons(oip->ip6_plen); > ofin.fin_ifp = fin->fin_ifp; > > --9amGYk9869ThD9tj-- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101271624.f0RGO0c57680>