From owner-freebsd-net Mon Jan 1 22:52:44 2001 From owner-freebsd-net@FreeBSD.ORG Mon Jan 1 22:52:41 2001 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.cn899.com (unknown [202.103.235.68]) by hub.freebsd.org (Postfix) with ESMTP id 0FB9037B400 for ; Mon, 1 Jan 2001 22:52:39 -0800 (PST) Received: by mail.cn899.com (Postfix, from userid 1003) id D02E91B5E12; Tue, 2 Jan 2001 14:50:32 +0800 (CST) To: ipfilter@coombs.anu.edu.au Subject: IP Filter auth rule Cc: freebsd-net@freebsd.org From: song@cn899.com Reply-To: song@cn899.com X-Mailer: NetHome Mail ver 1.0 Content-Type: text/plain Message-Id: <20010102065032.D02E91B5E12@mail.cn899.com> Date: Tue, 2 Jan 2001 14:50:32 +0800 (CST) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I\'m playing around the auth rule and the sample userauth.c of IP Filter on FreeBSD 4.2-RELEASE and below are some results and questions: 1. There is a typo in ip_auth.c which causes the ioctl(SIOCAUTHW) unable to fetch all the fields of the frauth_t struct. Below is a patch for 4.2-RELEASE stock version 3.4.8: *** /sys/netinet/ip_auth.c Sat Dec 30 22:38:09 2000 --- /sys/netinet/ip_auth.c.orig Sat Dec 30 23:35:33 2000 *************** *** 354,358 **** if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data, ! sizeof(frauth_t)); RWLOCK_EXIT(&ipf_auth); if (error) --- 354,358 ---- if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data, ! sizeof(fr_info_t)); RWLOCK_EXIT(&ipf_auth); if (error) 2. userauth.c should open IPAUTH_NAME instead of IPL_NAME for ioctl. Maybe on other platforms it should be IPL_NAME? 3. It seems that \"keep state\" does not work for auth rules. For example, the rule: auth in proto tcp from any to 127.0.0.1/32 port = telnet keep state makes every incoming telnet packet to go through the authentication despite the \"keep state\" option. 4. \"auth out ...\" rule does not work :-(. It makes the system hang for a while and then reboot. 5. auth in IP Filter 3.4.15 does not work in FreeBSD 4.2-RELEASE. The authenticated packets nerver reach the destination even though the variable fr_authstats.fas_queok increase as normal. I built the KLD module as follow: # make freebsd4 # make install-bsd # kldload ipf Any hints? Regards, Song Bo Run To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message