From owner-freebsd-bugs  Tue Oct  9  2:20: 4 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9AB6437B403
	for <freebsd-bugs@hub.freebsd.org>; Tue,  9 Oct 2001 02:20:02 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f999K2X17814;
	Tue, 9 Oct 2001 02:20:02 -0700 (PDT)
	(envelope-from gnats)
Date: Tue, 9 Oct 2001 02:20:02 -0700 (PDT)
Message-Id: <200110090920.f999K2X17814@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: "Crist J. Clark" <cristjc@earthlink.net>
Subject: Re: kern/31130: ipfw tee functionality causes malfunction and security hole
Reply-To: "Crist J. Clark" <cristjc@earthlink.net>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

The following reply was made to PR kern/31130; it has been noted by GNATS.

From: "Crist J. Clark" <cristjc@earthlink.net>
To: tburgess@whitley.unimelb.edu.au
Cc: freebsd-gnats-submit@FreeBSD.ORG,
	tburgess-sent@whitley.unimelb.edu.au
Subject: Re: kern/31130: ipfw tee functionality causes malfunction and security hole
Date: Tue, 9 Oct 2001 02:14:17 -0700

 Yep. I can easily replicate this. If I ping a box with,
 
   01000 tee 2222 icmp from any to any
 
 I see,
 
   01:22:38.769793 0:c0:f0:5a:6c:a 0:90:27:13:25:40 0800 98: 192.168.64.60 > 172.16.0.1: icmp: echo request
   01:22:38.770281 0:90:27:13:25:40 0:c0:f0:5a:6c:a 0800 98: 192.168.64.30 > 192.168.64.60: icmp: echo reply
   01:22:39.776983 0:c0:f0:5a:6c:a 0:90:27:13:25:40 0800 98: 192.168.64.60 > 172.16.0.1: icmp: echo request
   01:22:39.777441 0:90:27:13:25:40 0:c0:f0:5a:6c:a 0800 98: 192.168.64.30 > 192.168.64.60: icmp: echo reply
   .
   .
   .
 
 On the wire and the packets never get routed to the "real" 172.16.0.1.
 Trying to figure out if,
 
   a) This is the expected behavior, but is poorly documented, or
   b) Something is broken.
 
 I'm thinking (b), but still wading through src/sys/netinet to verify.
 -- 
 Crist J. Clark                           cjclark@alum.mit.edu
                                          cjclark@jhu.edu
                                          cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message