From owner-freebsd-security  Thu Oct  3  1:37:10 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7B70337B401
	for <freebsd-security@freebsd.org>; Thu,  3 Oct 2002 01:37:08 -0700 (PDT)
Received: from mail.geek.sh (decoder.geek.sh [196.36.198.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5F54543E3B
	for <freebsd-security@freebsd.org>; Thu,  3 Oct 2002 01:37:06 -0700 (PDT)
	(envelope-from aragon@geek.sh)
Received: by mail.geek.sh (Postfix, from userid 1000)
	id 3D0C124EE2; Thu,  3 Oct 2002 10:07:25 +0200 (SAST)
Date: Thu, 3 Oct 2002 10:07:25 +0200
From: Aragon Gouveia <aragon@phat.za.net>
To: freebsd-security@freebsd.org
Subject: ipfw failing to "check-state"
Message-ID: <20021003080725.GF46789@phat.za.net>
Mail-Followup-To: freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-Operating-System: FreeBSD 4.6-RC i386
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi,

I've recently installed 4.7-RC from sources. I'm having difficulty getting
dynamic rules working with ipfw. Here is the output from 'ipfw -d show' :

00100        0          0 check-state
01000      574     354032 allow tcp from any to 66.8.x.y 25 keep-state setup
65535 11589448 7623002626 allow ip from any to any
## Dynamic rules:
01000 397 312298 (T 299, slot 77) <-> tcp, 66.8.x.y 32145<-> 66.8.x.y 25
01000 13 572 (T 297, slot 97) <-> tcp, 196.26.x.y 1781<-> 66.8.x.y 25
01000 5 216 (T 297, slot 187) <-> tcp, 196.36.x.y 1525<-> 66.8.x.y 25
01000 21 1566 (T 299, slot 196) <-> tcp, 66.8.x.y 3794<-> 66.8.x.y 25


As can be seen above, no traffic is matching rule 100 as it should. If it
weren't for my default allow rule, smtp connections would not work to the
machine specified in rule 1000.

I'm using IPFW1, not IPFW2. I posted to questions@ yesterday but have
received no response so far. This looks very much like an ipfw bug but I
wanted to confirm it here before PR'ing. Has anyone else experienced this?


Thanks,
Aragon

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message