From owner-freebsd-net@FreeBSD.ORG  Mon Apr  7 08:42:09 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 256DC1065671
	for <freebsd-net@freebsd.org>; Mon,  7 Apr 2008 08:42:09 +0000 (UTC)
	(envelope-from yar.tikhiy@gmail.com)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159])
	by mx1.freebsd.org (Postfix) with ESMTP id AFB6B8FC1F
	for <freebsd-net@freebsd.org>; Mon,  7 Apr 2008 08:42:08 +0000 (UTC)
	(envelope-from yar.tikhiy@gmail.com)
Received: by fg-out-1718.google.com with SMTP id 16so1494330fgg.35
	for <freebsd-net@freebsd.org>; Mon, 07 Apr 2008 01:42:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:date:from:to:cc:subject:message-id:mime-version:content-type:content-disposition:user-agent:sender;
	bh=jOB9p7/0RwByAF5DQ8ZFxrLjGP4AU7Yt3SWWS/UKWek=;
	b=MHj4sANPOVXdpozVyhxgd+U3OyaQPhjuTf3FgPOjvw0go8Z6Nxwes4HW/c1drXGC3yHy/KjRBP2fazuQXvO6/U5O/eryrHkOuVWtAPTTVhiQCDMZJVbq11OMNzIznOQc5LRKmu+fURRFNMH+AvJ/IFzSzVkCFMXKcKdBKIQFZVg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:to:cc:subject:message-id:mime-version:content-type:content-disposition:user-agent:sender;
	b=LWPafytvsljgNHYR1hWvTdjvS8nvG8TGIwYr+QVuXQVmPQDmLdvoQsF15In6c3drV3i6Mg9S9mAQ2TVo0Lez9oS5vA7PclxCKQZV5zPB7Q/KxGFpsXn3GSO9dMH5p66Ro3ZcvhEeR8BWTmfNowgExvWKHVI3ur81eHzrtZj2eaI=
Received: by 10.82.111.8 with SMTP id j8mr725986buc.75.1207556025893;
	Mon, 07 Apr 2008 01:13:45 -0700 (PDT)
Received: from dg.local ( [83.237.35.138])
	by mx.google.com with ESMTPS id 12sm13976093fks.12.2008.04.07.01.13.43
	(version=TLSv1/SSLv3 cipher=OTHER);
	Mon, 07 Apr 2008 01:13:44 -0700 (PDT)
Date: Mon, 7 Apr 2008 12:14:00 +0400
From: Yar Tikhiy <yar@comp.chem.msu.su>
To: freebsd-net@freebsd.org
Message-ID: <20080407081400.GA78448@dg.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.17 (2007-11-01)
Sender: Yar Tikhiy <yar.tikhiy@gmail.com>
Cc: luigi@freebsd.org, oleg@freebsd.org
Subject: ipfw uid/gid to match listening TCP sockets?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2008 08:42:09 -0000

Hi there,

Our ipfw currently doesn't seem to match this host's traffic by
uid/gid if the traffic goes to a listening TCP socket.  E.g., if
one tries to allow passive data connections to a local anonymous
FTP server as follows, it won't work:

	ipfw add 10000 allow tcp from any to me dst-port 49152-65535 uid ftp in keep-state

This behaviour is obvious from ip_fw2.c:

  2009          if (proto == IPPROTO_TCP) {
  2010                  wildcard = 0;
  2011                  pi = &tcbinfo;
  2012          } else if (proto == IPPROTO_UDP) {
  2013                  wildcard = INPLOOKUP_WILDCARD;
  2014                  pi = &udbinfo;
  2015          } else
  2016                  return 0;

I.e., it is OK for UDP to match PCBs (essentially sockets) with a
wildcard foreign (remote) address, but not for TCP.

I wonder if there will be any security or whatever issues if the
wildcard flag is set for TCP, too.  The only peculiarity I can see
now is that listening sockets shouldn't generate outbound traffic;
as soon a 3-way handshake starts, a separate PCB is created.  Thus
a listening socket can match inbound packets only.

Are there any other points I missed?  Thanks!

-- 
Yar