From owner-freebsd-bugs@FreeBSD.ORG  Tue Jun  1 07:02:44 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C10A716A4CE
	for <freebsd-bugs@freebsd.org>; Tue,  1 Jun 2004 07:02:44 -0700 (PDT)
Received: from mail.gmx.net (imap.gmx.net [213.165.64.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id EA6CA43D64
	for <freebsd-bugs@freebsd.org>; Tue,  1 Jun 2004 07:02:43 -0700 (PDT)
	(envelope-from besen-wesen@gmx.net)
Received: (qmail 4508 invoked by uid 0); 1 Jun 2004 14:02:37 -0000
Received: from 80.138.180.140 by www4.gmx.net with HTTP;
	Tue, 1 Jun 2004 16:02:38 +0200 (MEST)
Date: Tue, 1 Jun 2004 16:02:38 +0200 (MEST)
From: besen-wesen@gmx.net
To: freebsd-bugs@freebsd.org
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-Authenticated: #8218737
Message-ID: <16597.1086098558@www4.gmx.net>
X-Mailer: WWW-Mail 1.6 (Global Message Exchange)
X-Flags: 0001
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: IPFW & uid bind
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jun 2004 14:02:44 -0000

Hello,

my firewall's security policy is supposed to allow outgoing connections to
port 53 (DNS) only from 'named' on localhost. Normally IPFW should be able
to do that just fine, since named runs as user and group 'bind' and IPFW can
handle local packets based on uid's or gid's.

Everything else works just fine. One can reduce the problem to this easily
verifiable rule:

# ipfw add 300 count log ip from any to any uid bind

Named indeed does run as bind:

box# ps x -U bind
  PID  TT  STAT      TIME COMMAND
  108  ??  Is     0:01.07 /usr/sbin/named -u bind -g bind

But IPFW does neither count nor log anything when doing DNS lookups:

# nslookup www.xyz.com

Instead filtering based on uid 'root' does work and produces a lot of
occurences:

# ipfw add 300 count log ip from any to any uid root

So what's the matter with 'bind' and IPFW?

Regards,

Besen-Wesen

-- 
+++ Jetzt WLAN-Router für alle DSL-Einsteiger und Wechsler +++
GMX DSL-Powertarife zudem 3 Monate gratis* http://www.gmx.net/dsl