Date: Thu, 24 Oct 2002 02:44:08 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Cristiano Deana <deana@bmm.it> Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2. Message-ID: <20021024024408.A52106@carp.icir.org> In-Reply-To: <200210240951.06541@freecris>; from deana@bmm.it on Thu, Oct 24, 2002 at 09:57:45AM %2B0200 References: <200210240951.06541@freecris>
next in thread | previous in thread | raw e-mail | index | archive | help
There is a bug in the rule for matching sets, i swapped src and
dst addresses...
Fix is below, i am going to commit it soon.
thanks for the report
luigi
Index: ip_fw2.c
===================================================================
RCS file: /home/iguana/u2/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.6.2.3
diff -u -r1.6.2.3 ip_fw2.c
--- ip_fw2.c 21 Aug 2002 05:34:07 -0000 1.6.2.3
+++ ip_fw2.c 24 Oct 2002 09:38:28 -0000
@@ -1604,8 +1604,8 @@
u_int32_t *d = (u_int32_t *)(cmd+1);
u_int32_t addr =
cmd->opcode == O_IP_DST_SET ?
- args->f_id.src_ip :
- args->f_id.dst_ip;
+ args->f_id.dst_ip :
+ args->f_id.src_ip;
if (addr < d[0])
break;
On Thu, Oct 24, 2002 at 09:57:45AM +0200, Cristiano Deana wrote:
> What am I missing?
>
> # uname -sv
> FreeBSD FreeBSD 4.7-STABLE #14: Fri Oct 18 15:04:59 CEST 2002
>
> # dmesg | grep ipfw
> ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to
> deny, logging limited to 100 packets/entry by default
>
> # ifconfig xl0 | grep inet
> inet 213.144.77.133 netmask 0xffffff80 broadcast 213.144.77.255
>
> # ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 10000 allow log icmp from 213.144.77.0/24{199,200,201} to 213.144.77.133
> 11000 deny log icmp from any to 213.144.77.133
> 65000 allow ip from any to any
> 65535 deny ip from any to any
>
> # pinging from 213.144.77.200 to 213.144.77.133
>
> # tail /var/log/security
> Oct 24 09:38:58 freecris /kernel: ipfw: 11000 Deny ICMP:8.0 213.144.77.200
> 213.144.77.133 in via xl0
> Oct 24 09:39:12 freecris last message repeated 2 times
>
> # ipfw show | grep icmp
> 10000 0 0 allow log icmp from 213.144.77.0/24{199,200,201}
> to 213.144.77.133
> 11000 33 2772 deny log icmp from any to 213.144.77.133
>
> I think i'm missing some basic rule.
> Why icmp packets coming from 213.144.77.200 didn't match rules #10000?
>
> Thanks in advance,
> cris.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021024024408.A52106>