From owner-freebsd-security  Thu Oct 29 02:28:24 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA04439
          for freebsd-security-outgoing; Thu, 29 Oct 1998 02:28:24 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns.cityip.co.za (ns.cityip.co.za [196.25.223.140])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA04434
          for <security@freebsd.org>; Thu, 29 Oct 1998 02:28:20 -0800 (PST)
          (envelope-from wjv@cityip.co.za)
Received: from wjv by ns.cityip.co.za with local (Exim 1.82 #2)
	id 0zYpJM-0003p4-00; Thu, 29 Oct 1998 12:28:12 +0200
Message-ID: <19981029122811.A14672@cityip.co.za>
Date: Thu, 29 Oct 1998 12:28:11 +0200
From: Johann Visagie <wjv@cityip.co.za>
To: security@FreeBSD.ORG
Subject: Connections succeed even though denied by IPFW
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1i
X-PGP: ftp://ftp.cityip.co.za/users/wjv/pubkey.asc
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


I have a rather strange situation here, on a 2.2.5-REL box which currently
has an uptime of over 100 days (I don't know if that might affect it in any
way).

Basically, connections which are denied by the IPFW settings in
/etc/rc.firewall succeed, _even though IPFW logs the packets as being
denied_!

Here is an example of an attempt to connect to my telnetd and popper.  Note
that IPFW successfully denies the packets, but tcpd then gets to reject the
connections:

Oct 27 15:09:16 ns /kernel: ipfw: 6410 Deny TCP 196.15.149.140:1030 196.25.223.161:23 in via ed0
Oct 27 15:09:17 ns telnetd[5955]: refused connect from jhb140.shisas.co.za
Oct 27 15:09:17 ns /kernel: ipfw: 6410 Deny TCP 196.15.149.140:1033 255.255.255.255:110 in via ed0
Oct 27 15:09:19 ns telnetd[5956]: refused connect from jhb140.shisas.co.za
Oct 27 15:09:19 ns popper[5957]: refused connect from jhb140.shisas.co.za
Oct 27 15:09:20 ns /kernel: ipfw: 6410 Deny TCP 196.15.149.140:1052 196.25.223.161:110 in via ed0
Oct 27 15:09:22 ns popper[5959]: refused connect from jhb140.shisas.co.za

I have double checked - if I configure my TCP wrappers to allow a specific
connection, then it can be made successfully, even though the packet
filtering rules should disallow it (and log it that they do).

In a word:  "Huh?"

-- V

Johann Visagie | wjv@CityIP.co.za | Tel: +27 21 419-7878 | ICQ: 20645559

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message