Date: Tue, 04 Feb 2003 15:46:59 +0300 From: Serg Repalov <rs@rambler.ru> To: questions@FreeBSD.org Subject: possible error: ipfw in FreeBSD 5.0 Release don't understand uid flag Message-ID: <3E3FB643.4000701@rambler.ru>
next in thread | raw e-mail | index | archive | help
It seems that ipfw in 5.0-Release don't understand
uid flag properly.
This is the example:
------- 8< ----- begin of example
# uname -a
FreeBSD h7.asni.rsu.ru 5.0-RELEASE FreeBSD 5.0-RELEASE #0: Thu Jan 16
22:16:53 GMT 2003
root@hollin.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386
# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 21 2643 allow ip from 195.208.251.207 to 195.208.251.192/27
00500 20 3312 allow ip from 195.208.251.192/27 to 195.208.251.207
00600 1360 1025936 allow tcp from any to any established
00700 0 0 allow ip from any to any frag
00800 0 0 allow tcp from any to 195.208.251.207 dst-port 25 setup
00900 0 0 allow tcp from any to any uid rs
01100 0 0 allow udp from 195.208.251.207 to any dst-port 53 keep-state
01200 0 0 allow udp from 195.208.251.207 to any dst-port 123 keep-state
60000 35 7462 deny log ip from any to any
65535 23 4616 deny ip from any to any
# su -l rs
%id
uid=1001(rs) gid=1001(admin) groups=1001(admin), 0(wheel)
%telnet 195.208.254.1 22
Trying 195.208.254.1...
telnet: connect to address 195.208.254.1: Permission denied
telnet: Unable to connect to remote host
%logout
# ipfw add 910 allow tcp from any to any gid admin
00910 allow tcp from any to any gid admin
# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 22 2715 allow ip from 195.208.251.207 to 195.208.251.192/27
00500 21 3411 allow ip from 195.208.251.192/27 to 195.208.251.207
00600 1360 1025936 allow tcp from any to any established
00700 0 0 allow ip from any to any frag
00800 0 0 allow tcp from any to 195.208.251.207 dst-port 25 setup
00900 0 0 allow tcp from any to any uid rs
00910 0 0 allow tcp from any to any gid admin
01100 0 0 allow udp from 195.208.251.207 to any dst-port 53 keep-state
01200 0 0 allow udp from 195.208.251.207 to any dst-port 123 keep-state
60000 37 7600 deny log ip from any to any
65535 23 4616 deny ip from any to any
# su -l rs
%id
uid=1001(rs) gid=1001(admin) groups=1001(admin), 0(wheel)
%telnet 195.208.254.1 22
Trying 195.208.254.1...
Connected to ns.mis.rsu.ru.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.2.0
^]
telnet> quit
Connection closed.
%logout
h7# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 23 2787 allow ip from 195.208.251.207 to 195.208.251.192/27
00500 22 3510 allow ip from 195.208.251.192/27 to 195.208.251.207
00600 1372 1026597 allow tcp from any to any established
00700 0 0 allow ip from any to any frag
00800 0 0 allow tcp from any to 195.208.251.207 dst-port 25 setup
00900 0 0 allow tcp from any to any uid rs
00910 1 60 allow tcp from any to any gid admin
01100 0 0 allow udp from 195.208.251.207 to any dst-port 53 keep-state
01200 0 0 allow udp from 195.208.251.207 to any dst-port 123 keep-state
60000 38 7829 deny log ip from any to any
65535 23 4616 deny ip from any to any
#tail -10
------- >8 ----- end of example
in the /var/log/security one line is added:
------- 8< ----- begin
Feb 4 15:16:22 h7 kernel: ipfw: 60000 Deny TCP 195.208.251.207:49171
195.208.254.1:22 out via xl0
------- >8 ----- end
As You see the rule
allow tcp from any to any uid rs
which uses "uid" flag, don't work as expected. :(
but the rule that uses gid is working.
Or, in other case, may be i don't understend as flar "uid" must work?
Serg Repalov
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E3FB643.4000701>