Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 08 Feb 1999 16:03:49 +0200
From:      Ian Cooper <ian@cdsec.com>
To:        security@FreeBSD.ORG
Cc:        Matt Behrens <matt@zigg.com>
Subject:   Re: bypassing "allow ip from any to any"?
Message-ID:  <36BEEEC5.9899B557@cdsec.com>
References:  <Pine.BSF.4.05.9902080820170.2539-100000@cdsec.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Matt

The answer to this is fairly simple. The ipfw code in the kernel has a default
rule, 65535, which can never be deleted. This rule denies all packets. 

The open "firewall" runs by adding a rule 65000 in rc.firewall, which allows
all packets, and since its number is lower than the 65535 rule, will override
it. 

What has apparently happened is that the kernel routines have received some
packets (netbios it appears) just after the network has come up, but before the
ipfw 65000 rule has been added. by rc.firewall. The result is that the packets
match the default 65535 rule and are denied.

Ian

Matt Behrens wrote:
> 
> I rebooted one of my boxes 24 hours ago.  I run the "open" firewall
> set with ppp -alias (as an on-demand packet filter, I know, I should
> do better) ;) but saw something strange in last night's security
> check.
> 
> Rule 65000 clearly states
> 
>         65000 allow ip from any to any
> 
> yet this came across in my logs last night:
> 
> xxx.xxx.xxx denied packets:
> > 65535      2       139 deny ip from any to any
> 
> I don't see how it could, unless someone was fudging with my ipfw
> config.  Or do I just not know something?  (I do run options NETATALK
> here, could that somehow have snuck in?)
> 
> - Matt Behrens <matt@zigg.com>
>   Network Administrator, zigg.com <http://www.zigg.com/>;
>   Engineer, Nameless IRC Network <http://www.nameless.net/>;
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Ian Cooper                                 E-mail: ian@cdsec.com
Citadel Data Security                      Phone:  +27 21 423-6065
Firewalls/Virtual Private Networks         Fax:    +27 21 424-3656
Data Security Products                     WWW:    http://www.cdsec.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36BEEEC5.9899B557>