From owner-freebsd-security Thu Jan 30 23:06:38 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA08341 for security-outgoing; Thu, 30 Jan 1997 23:06:38 -0800 (PST) Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [163.195.220.170]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id XAA08324 for ; Thu, 30 Jan 1997 23:06:31 -0800 (PST) Received: (from rbezuide@localhost) by oskar.nanoteq.co.za (8.6.12/8.6.12) id JAA15488; Fri, 31 Jan 1997 09:05:57 +0200 From: Reinier Bezuidenhout Message-Id: <199701310705.JAA15488@oskar.nanoteq.co.za> Subject: Re: ipfw trouble under FreeBSD 2.1.5 In-Reply-To: <5cqfuu$sqt@leonie.object-factory.com> from Marcus Mueller at "Jan 30, 97 03:49:50 pm" To: znek@object-factory.com (Marcus Mueller) Date: Fri, 31 Jan 1997 09:05:56 +0200 (SAT) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi there > it seems that ipfw under FreeBSD 2.1.5 has a bug which leads to deny-rules > being applied to connections which should have been accepted before. > (That means a 65000 deny blah from blah to blah matches a connection which > should have been accepted by a 10000 allow blah from blah to blah). > In certain cases - though not deterministically - I have to flush the list > and then setup all rules again for the firewall to function properly. > In some cases this does not help, however. I have to agree with this ... I've seen it on two FreeBSD firewalls we have, e.g. 1000 accept tcp from any to any established . . . . 17000 deny tcp from any to 1.2.3.4 via ed0 setup and if I telnet from the one to the other on an open port, rule 17000 fires about 3 times, denying packets, and then the connection is established ???? Greetings Reinier