Date: Wed, 4 Oct 2000 08:24:56 +0200 (CEST) From: bdluevel@heitec.net To: FreeBSD-gnats-submit@freebsd.org Subject: bin/21742: 'ipfw add' does not check the protocol name Message-ID: <200010040624.e946OuW00627@ heitec.net>
next in thread | raw e-mail | index | archive | help
>Number: 21742
>Category: bin
>Synopsis: 'ipfw add' does not check the protocol name
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 03 23:30:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Bernd Luevelsmeyer
>Release: FreeBSD 4.1.1-STABLE i386
>Organization:
Heitec AG
>Environment:
FreeBSD 4.1.1-STABLE #5: Mon Oct 2 00:14:43 CEST 2000
>Description:
If you add a IPFW rule to pass TCP traffic to port 'echo',
then port 4 will be allowed instead of port 7; apparently,
because there's an 'echo' with port 4 in /etc/services.
That's only protocol 'ddp' though, hence I assume 'ipfw add'
does not check the protocol if looking up port names.
>How-To-Repeat:
#ipfw list
00100 allow ip from any to any
65535 deny ip from any to any
#ipfw add pass tcp from any to any echo
00000 allow tcp from any to any 4
#ipfw list
00100 allow ip from any to any
00200 allow tcp from any to any 4
65535 deny ip from any to any
#grep echo /etc/services
echo 4/ddp #AppleTalk Echo Protocol
echo 7/tcp
echo 7/udp
at-echo 204/tcp #AppleTalk Echo
at-echo 204/udp #AppleTalk Echo
>Fix:
Workaround: use port numbers only when specifying firewall
rules, not port names.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010040624.e946OuW00627>