From owner-freebsd-questions  Tue Feb  4  4:48: 9 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B053E37B401
	for <questions@FreeBSD.org>; Tue,  4 Feb 2003 04:48:05 -0800 (PST)
Received: from mail.asni.rsu.ru (mail.asni.rsu.ru [195.208.251.195])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2B9E643FA7
	for <questions@FreeBSD.org>; Tue,  4 Feb 2003 04:48:03 -0800 (PST)
	(envelope-from rs@rambler.ru)
Received: from rambler.ru (h7.asni.rsu.ru [195.208.251.207])
	by mail.asni.rsu.ru (8.11.1/8.11.1) with ESMTP id h14CrR332960
	for <questions@FreeBSD.org>; Tue, 4 Feb 2003 15:53:29 +0300 (MSK)
	(envelope-from rs@rambler.ru)
Message-ID: <3E3FB643.4000701@rambler.ru>
Date: Tue, 04 Feb 2003 15:46:59 +0300
From: Serg Repalov <rs@rambler.ru>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3a) Gecko/20021212
X-Accept-Language: ru, en-us, en
MIME-Version: 1.0
To: questions@FreeBSD.org
Subject: possible error: ipfw in FreeBSD 5.0 Release don't understand uid
 flag
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

It seems that ipfw in 5.0-Release don't understand
uid flag properly.

This is the example:
------- 8< ----- begin of example
# uname -a
FreeBSD h7.asni.rsu.ru 5.0-RELEASE FreeBSD 5.0-RELEASE #0: Thu Jan 16
22:16:53 GMT 2003
root@hollin.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386
# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 21 2643 allow ip from 195.208.251.207 to 195.208.251.192/27
00500 20 3312 allow ip from 195.208.251.192/27 to 195.208.251.207
00600 1360 1025936 allow tcp from any to any established
00700 0 0 allow ip from any to any frag
00800 0 0 allow tcp from any to 195.208.251.207 dst-port 25 setup
00900 0 0 allow tcp from any to any uid rs
01100 0 0 allow udp from 195.208.251.207 to any dst-port 53 keep-state
01200 0 0 allow udp from 195.208.251.207 to any dst-port 123 keep-state
60000 35 7462 deny log ip from any to any
65535 23 4616 deny ip from any to any
# su -l rs
%id
uid=1001(rs) gid=1001(admin) groups=1001(admin), 0(wheel)
%telnet 195.208.254.1 22
Trying 195.208.254.1...
telnet: connect to address 195.208.254.1: Permission denied
telnet: Unable to connect to remote host
%logout
# ipfw add 910 allow tcp from any to any gid admin
00910 allow tcp from any to any gid admin
# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 22 2715 allow ip from 195.208.251.207 to 195.208.251.192/27
00500 21 3411 allow ip from 195.208.251.192/27 to 195.208.251.207
00600 1360 1025936 allow tcp from any to any established
00700 0 0 allow ip from any to any frag
00800 0 0 allow tcp from any to 195.208.251.207 dst-port 25 setup
00900 0 0 allow tcp from any to any uid rs
00910 0 0 allow tcp from any to any gid admin
01100 0 0 allow udp from 195.208.251.207 to any dst-port 53 keep-state
01200 0 0 allow udp from 195.208.251.207 to any dst-port 123 keep-state
60000 37 7600 deny log ip from any to any
65535 23 4616 deny ip from any to any
# su -l rs
%id
uid=1001(rs) gid=1001(admin) groups=1001(admin), 0(wheel)
%telnet 195.208.254.1 22
Trying 195.208.254.1...
Connected to ns.mis.rsu.ru.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.2.0
^]
telnet> quit
Connection closed.
%logout
h7# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 23 2787 allow ip from 195.208.251.207 to 195.208.251.192/27
00500 22 3510 allow ip from 195.208.251.192/27 to 195.208.251.207
00600 1372 1026597 allow tcp from any to any established
00700 0 0 allow ip from any to any frag
00800 0 0 allow tcp from any to 195.208.251.207 dst-port 25 setup
00900 0 0 allow tcp from any to any uid rs
00910 1 60 allow tcp from any to any gid admin
01100 0 0 allow udp from 195.208.251.207 to any dst-port 53 keep-state
01200 0 0 allow udp from 195.208.251.207 to any dst-port 123 keep-state
60000 38 7829 deny log ip from any to any
65535 23 4616 deny ip from any to any
#tail -10
------- >8 ----- end of example
in the /var/log/security one line is added:
------- 8< ----- begin
Feb 4 15:16:22 h7 kernel: ipfw: 60000 Deny TCP 195.208.251.207:49171
195.208.254.1:22 out via xl0
------- >8 ----- end

As You see the rule
      allow tcp from any to any uid rs
which uses "uid" flag, don't work as expected. :(
but the rule that uses gid is working.

Or, in other case, may be i don't understend as flar "uid" must work?

Serg Repalov



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message