From owner-freebsd-security  Mon Feb  8 06:00:54 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA07902
          for freebsd-security-outgoing; Mon, 8 Feb 1999 06:00:54 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from citadel.cdsec.com (citadel.cdsec.com [192.96.22.18])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA07897
          for <security@FreeBSD.ORG>; Mon, 8 Feb 1999 06:00:50 -0800 (PST)
          (envelope-from ian@cdsec.com)
Received: (from nobody@localhost) by citadel.cdsec.com (8.8.8/8.6.9) id QAA28414; Mon, 8 Feb 1999 16:00:47 +0200 (SAST)
Received: by citadel via recvmail id 28412; Mon Feb  8 16:00:11 1999
Message-ID: <36BEEEC5.9899B557@cdsec.com>
Date: Mon, 08 Feb 1999 16:03:49 +0200
From: Ian Cooper <ian@cdsec.com>
Reply-To: ian@cdsec.com
Organization: Citadel Data Security
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: security@FreeBSD.ORG
CC: Matt Behrens <matt@zigg.com>
Subject: Re: bypassing "allow ip from any to any"?
References: <Pine.BSF.4.05.9902080820170.2539-100000@cdsec.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Matt

The answer to this is fairly simple. The ipfw code in the kernel has a default
rule, 65535, which can never be deleted. This rule denies all packets. 

The open "firewall" runs by adding a rule 65000 in rc.firewall, which allows
all packets, and since its number is lower than the 65535 rule, will override
it. 

What has apparently happened is that the kernel routines have received some
packets (netbios it appears) just after the network has come up, but before the
ipfw 65000 rule has been added. by rc.firewall. The result is that the packets
match the default 65535 rule and are denied.

Ian

Matt Behrens wrote:
> 
> I rebooted one of my boxes 24 hours ago.  I run the "open" firewall
> set with ppp -alias (as an on-demand packet filter, I know, I should
> do better) ;) but saw something strange in last night's security
> check.
> 
> Rule 65000 clearly states
> 
>         65000 allow ip from any to any
> 
> yet this came across in my logs last night:
> 
> xxx.xxx.xxx denied packets:
> > 65535      2       139 deny ip from any to any
> 
> I don't see how it could, unless someone was fudging with my ipfw
> config.  Or do I just not know something?  (I do run options NETATALK
> here, could that somehow have snuck in?)
> 
> - Matt Behrens <matt@zigg.com>
>   Network Administrator, zigg.com <http://www.zigg.com/>
>   Engineer, Nameless IRC Network <http://www.nameless.net/>
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Ian Cooper                                 E-mail: ian@cdsec.com
Citadel Data Security                      Phone:  +27 21 423-6065
Firewalls/Virtual Private Networks         Fax:    +27 21 424-3656
Data Security Products                     WWW:    http://www.cdsec.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message