From owner-freebsd-bugs Sat Feb 3 13:40:20 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 08E1937B401 for ; Sat, 3 Feb 2001 13:40:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f13Le1e01432; Sat, 3 Feb 2001 13:40:01 -0800 (PST) (envelope-from gnats) Date: Sat, 3 Feb 2001 13:40:01 -0800 (PST) Message-Id: <200102032140.f13Le1e01432@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Bernd Luevelsmeyer Subject: Re: misc/24833: after cvsup + rebuild, ipfw "check-state" does not work Reply-To: Bernd Luevelsmeyer Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR misc/24833; it has been noted by GNATS. From: Bernd Luevelsmeyer To: freebsd-gnats-submit@FreeBSD.org, steve@megahack.com Cc: Subject: Re: misc/24833: after cvsup + rebuild, ipfw "check-state" does not work Date: Sat, 03 Feb 2001 22:30:20 +0100 I've got 4.2-Stable on a PentiumII updated just now. I found that with these rules ('ipfw list' output): 00100 allow tcp from any to any established 65535 deny ip from any to any anyone can telnet or ftp into the machine or out of it. Essentially, I think 'established' matches packets having the SYNC flag, in addition to those having ACK or RST. May I ask that this bug has its "Severity" increased, because this will break many firewalls IMO. A "allow tcp from any to any established" will render any later tcp 'deny' rule useless. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message