From owner-freebsd-ipfw Thu Oct 24 2:44:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6449A37B404 for ; Thu, 24 Oct 2002 02:44:17 -0700 (PDT) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8B0543E65 for ; Thu, 24 Oct 2002 02:44:16 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9O9i8pJ052158; Thu, 24 Oct 2002 02:44:08 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id g9O9i8Kw052157; Thu, 24 Oct 2002 02:44:08 -0700 (PDT) (envelope-from rizzo) Date: Thu, 24 Oct 2002 02:44:08 -0700 From: Luigi Rizzo To: Cristiano Deana Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2. Message-ID: <20021024024408.A52106@carp.icir.org> References: <200210240951.06541@freecris> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200210240951.06541@freecris>; from deana@bmm.it on Thu, Oct 24, 2002 at 09:57:45AM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG There is a bug in the rule for matching sets, i swapped src and dst addresses... Fix is below, i am going to commit it soon. thanks for the report luigi Index: ip_fw2.c =================================================================== RCS file: /home/iguana/u2/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.6.2.3 diff -u -r1.6.2.3 ip_fw2.c --- ip_fw2.c 21 Aug 2002 05:34:07 -0000 1.6.2.3 +++ ip_fw2.c 24 Oct 2002 09:38:28 -0000 @@ -1604,8 +1604,8 @@ u_int32_t *d = (u_int32_t *)(cmd+1); u_int32_t addr = cmd->opcode == O_IP_DST_SET ? - args->f_id.src_ip : - args->f_id.dst_ip; + args->f_id.dst_ip : + args->f_id.src_ip; if (addr < d[0]) break; On Thu, Oct 24, 2002 at 09:57:45AM +0200, Cristiano Deana wrote: > What am I missing? > > # uname -sv > FreeBSD FreeBSD 4.7-STABLE #14: Fri Oct 18 15:04:59 CEST 2002 > > # dmesg | grep ipfw > ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to > deny, logging limited to 100 packets/entry by default > > # ifconfig xl0 | grep inet > inet 213.144.77.133 netmask 0xffffff80 broadcast 213.144.77.255 > > # ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 10000 allow log icmp from 213.144.77.0/24{199,200,201} to 213.144.77.133 > 11000 deny log icmp from any to 213.144.77.133 > 65000 allow ip from any to any > 65535 deny ip from any to any > > # pinging from 213.144.77.200 to 213.144.77.133 > > # tail /var/log/security > Oct 24 09:38:58 freecris /kernel: ipfw: 11000 Deny ICMP:8.0 213.144.77.200 > 213.144.77.133 in via xl0 > Oct 24 09:39:12 freecris last message repeated 2 times > > # ipfw show | grep icmp > 10000 0 0 allow log icmp from 213.144.77.0/24{199,200,201} > to 213.144.77.133 > 11000 33 2772 deny log icmp from any to 213.144.77.133 > > I think i'm missing some basic rule. > Why icmp packets coming from 213.144.77.200 didn't match rules #10000? > > Thanks in advance, > cris. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message