Date: Sat, 3 Feb 2001 13:40:01 -0800 (PST) From: Bernd Luevelsmeyer <bdluevel@heitec.net> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/24833: after cvsup + rebuild, ipfw "check-state" does not work Message-ID: <200102032140.f13Le1e01432@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/24833; it has been noted by GNATS.
From: Bernd Luevelsmeyer <bdluevel@heitec.net>
To: freebsd-gnats-submit@FreeBSD.org, steve@megahack.com
Cc:
Subject: Re: misc/24833: after cvsup + rebuild, ipfw "check-state" does not work
Date: Sat, 03 Feb 2001 22:30:20 +0100
I've got 4.2-Stable on a PentiumII updated just now. I found that with
these rules ('ipfw list' output):
00100 allow tcp from any to any established
65535 deny ip from any to any
anyone can telnet or ftp into the machine or out of it. Essentially, I
think 'established' matches packets having the SYNC flag, in addition to
those having ACK or RST.
May I ask that this bug has its "Severity" increased, because this will
break many firewalls IMO. A "allow tcp from any to any established" will
render any later tcp 'deny' rule useless.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102032140.f13Le1e01432>