Date: Sat, 24 Jun 2000 07:03:44 -0700 (PDT) From: ted@wiz.plymouth.edu To: freebsd-gnats-submit@FreeBSD.org Subject: kern/19488: Bug in 4.0-STABLE (acting as a Bridging firewall) Message-ID: <20000624140344.A487537B862@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 19488
>Category: kern
>Synopsis: Bug in 4.0-STABLE (acting as a Bridging firewall)
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 24 07:10:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Ted Wisniewski
>Release: 4.0-RELEASE cvsup'd to STABLE
>Organization:
Plymouth State College
>Environment:
FreeBSD firewall.plymouth.edu 4.0-STABLE FreeBSD 4.0-STABLE #0: Mon Mar 27 15:58:31 EST 2000 sysop@firewall.plymouth.edu:/usr/src/sys/compile/MYKERNEL i386
>Description:
FreeBSD 4.0-RELEASE upgrading to FreeBSD 4.0-STABLE (6-22)
Firewall using Dummynet (problem still occurs even with no rules)
Dell 550Mhz with 128MB RAM and 2 ethernet cards
xl0: <3Com 3c905B-TX Fast Etherlink XL>
xl1: <3Com 3c905B-TX Fast Etherlink XL>
Applicable Kernel config options:
options TCP_DROP_SYNFIN
options TCP_RESTRICT_RST
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPSTEALTH
options BRIDGE
options DUMMYNET
options NMBCLUSTERS=16384startup options:
bridging_enable="YES"
bridging_fw_enable="YES"
portmap_enable="NO"
firewall_enable="YES"
firewall_script="/usr/local/etc/firewall/rc.firewall"
drop_synfin_enable="YES"
excerpt from /etc/rc.network (I added some options):
case ${drop_synfin_enable} in
[Yy][Ee][Ss])
echo -n ' DROP_SYNFIN=YES'
sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
;;
esac
case ${bridging_enable} in
[Yy][Ee][Ss])
echo -n ' BRIDGING=YES'
sysctl -w net.link.ether.bridge=1 >/dev/null
;;
esac
case ${bridging_fw_enable} in
[Yy][Ee][Ss])
echo -n ' BRIDGING_FW=YES'
sysctl -w net.link.ether.bridge_ipfw=1 >/dev/null
;;
esac
Following upgrade, Loss of reliable RIP updates via firewall from WAN
gateway to LAN routing switch.
WAN gateway RIP stats confirmed outgoing packets sent.
Sniffer connected via switch mirror ports on either side of firewall.
On WAN side of firewall, set to filter for WAN router IP address,
confirmed subnet broadcast packets (RIP packets) in transit.
Sniffer on LAN side of firewall confirmed very few of those getting
through.
Physically patched around firewall and normal operation returned.
Reverted to old kernel on firewall, put it back in line, and normal
operation was maintained.
(Did not happen to notice whether the opposite was also true, that LAN
RIP packets failed to get through to WAN router.)
>How-To-Repeat:
Build kernel on 4.0-STABLE (as of 6-22)
>Fix:
Revert to kernel made on FreeBSD-4.0-RELEASE system.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000624140344.A487537B862>