From owner-freebsd-stable Wed May 22 8:34:54 2002 Delivered-To: freebsd-stable@freebsd.org Received: from grosbein.pp.ru (D00015.dialonly.kemerovo.su [213.184.66.105]) by hub.freebsd.org (Postfix) with ESMTP id 5F3C337B41B; Wed, 22 May 2002 08:34:25 -0700 (PDT) Received: from grosbein.pp.ru (smmsp@localhost [127.0.0.1]) by grosbein.pp.ru (8.12.3/8.12.2) with ESMTP id g4MFTpg1001902; Wed, 22 May 2002 23:29:51 +0800 (KRAST) (envelope-from eugen@grosbein.pp.ru) Received: (from eugen@localhost) by grosbein.pp.ru (8.12.3/8.12.3/Submit) id g4LFaZuW000525; Tue, 21 May 2002 23:36:35 +0800 (KRAST) Date: Tue, 21 May 2002 23:36:35 +0800 From: Eugene Grosbein To: stable@freebsd.org Cc: jlemon@freebsd.org Subject: fresh 4.6-RC: ipfw ... to not me Message-ID: <20020521233635.A371@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! ipfw incorrectly displays rules containing 'to not me' or 'from not me'. Example: run this script for firewall_type="open" #!/bin/sh ipfw show echo Add: ipfw add 10 count ip from any to not me ipfw add 20 count ip from any to me echo '' ping -c 1 localhost ipfw show # EOF You'll get: 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 0 0 allow ip from any to any 65535 0 0 deny ip from any to any Add: >00010 count ip from any to me >00020 count ip from any to me PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.132 ms --- localhost ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.132/0.132/0.132/0.000 ms >00010 0 0 count ip from any to me >00020 4 336 count ip from any to me 00100 4 336 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 0 0 allow ip from any to any 65535 0 0 deny ip from any to any Look at quoted lines. This seems to be fixed more than week ago in CURRENT, rev. 1.122 of src/sbin/ipfw/ipfw.c but not MFC'd. That commit was quite big and it may be not desirable to MFC all the code now but please fix 'from me' problem before 4.6-RELEASE. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message