Date: Mon, 7 Apr 2008 12:14:00 +0400 From: Yar Tikhiy <yar@comp.chem.msu.su> To: freebsd-net@freebsd.org Cc: luigi@freebsd.org, oleg@freebsd.org Subject: ipfw uid/gid to match listening TCP sockets? Message-ID: <20080407081400.GA78448@dg.local>
next in thread | raw e-mail | index | archive | help
Hi there,
Our ipfw currently doesn't seem to match this host's traffic by
uid/gid if the traffic goes to a listening TCP socket. E.g., if
one tries to allow passive data connections to a local anonymous
FTP server as follows, it won't work:
ipfw add 10000 allow tcp from any to me dst-port 49152-65535 uid ftp in keep-state
This behaviour is obvious from ip_fw2.c:
2009 if (proto == IPPROTO_TCP) {
2010 wildcard = 0;
2011 pi = &tcbinfo;
2012 } else if (proto == IPPROTO_UDP) {
2013 wildcard = INPLOOKUP_WILDCARD;
2014 pi = &udbinfo;
2015 } else
2016 return 0;
I.e., it is OK for UDP to match PCBs (essentially sockets) with a
wildcard foreign (remote) address, but not for TCP.
I wonder if there will be any security or whatever issues if the
wildcard flag is set for TCP, too. The only peculiarity I can see
now is that listening sockets shouldn't generate outbound traffic;
as soon a 3-way handshake starts, a separate PCB is created. Thus
a listening socket can match inbound packets only.
Are there any other points I missed? Thanks!
--
Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080407081400.GA78448>