Date: Fri, 31 Jan 1997 09:05:56 +0200 (SAT) From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> To: znek@object-factory.com (Marcus Mueller) Cc: freebsd-security@freebsd.org Subject: Re: ipfw trouble under FreeBSD 2.1.5 Message-ID: <199701310705.JAA15488@oskar.nanoteq.co.za> In-Reply-To: <5cqfuu$sqt@leonie.object-factory.com> from Marcus Mueller at "Jan 30, 97 03:49:50 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Hi there > it seems that ipfw under FreeBSD 2.1.5 has a bug which leads to deny-rules > being applied to connections which should have been accepted before. > (That means a 65000 deny blah from blah to blah matches a connection which > should have been accepted by a 10000 allow blah from blah to blah). > In certain cases - though not deterministically - I have to flush the list > and then setup all rules again for the firewall to function properly. > In some cases this does not help, however. I have to agree with this ... I've seen it on two FreeBSD firewalls we have, e.g. 1000 accept tcp from any to any established . . . . 17000 deny tcp from any to 1.2.3.4 via ed0 setup and if I telnet from the one to the other on an open port, rule 17000 fires about 3 times, denying packets, and then the connection is established ???? Greetings Reinier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701310705.JAA15488>