Date: Mon, 08 Feb 1999 16:03:49 +0200 From: Ian Cooper <ian@cdsec.com> To: security@FreeBSD.ORG Cc: Matt Behrens <matt@zigg.com> Subject: Re: bypassing "allow ip from any to any"? Message-ID: <36BEEEC5.9899B557@cdsec.com> References: <Pine.BSF.4.05.9902080820170.2539-100000@cdsec.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matt The answer to this is fairly simple. The ipfw code in the kernel has a default rule, 65535, which can never be deleted. This rule denies all packets. The open "firewall" runs by adding a rule 65000 in rc.firewall, which allows all packets, and since its number is lower than the 65535 rule, will override it. What has apparently happened is that the kernel routines have received some packets (netbios it appears) just after the network has come up, but before the ipfw 65000 rule has been added. by rc.firewall. The result is that the packets match the default 65535 rule and are denied. Ian Matt Behrens wrote: > > I rebooted one of my boxes 24 hours ago. I run the "open" firewall > set with ppp -alias (as an on-demand packet filter, I know, I should > do better) ;) but saw something strange in last night's security > check. > > Rule 65000 clearly states > > 65000 allow ip from any to any > > yet this came across in my logs last night: > > xxx.xxx.xxx denied packets: > > 65535 2 139 deny ip from any to any > > I don't see how it could, unless someone was fudging with my ipfw > config. Or do I just not know something? (I do run options NETATALK > here, could that somehow have snuck in?) > > - Matt Behrens <matt@zigg.com> > Network Administrator, zigg.com <http://www.zigg.com/> > Engineer, Nameless IRC Network <http://www.nameless.net/> > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Ian Cooper E-mail: ian@cdsec.com Citadel Data Security Phone: +27 21 423-6065 Firewalls/Virtual Private Networks Fax: +27 21 424-3656 Data Security Products WWW: http://www.cdsec.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36BEEEC5.9899B557>