From owner-freebsd-bugs Wed Mar 12 6: 0:21 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF4A937B401 for ; Wed, 12 Mar 2003 06:00:19 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB06543FCB for ; Wed, 12 Mar 2003 06:00:18 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2CE0INS083864 for ; Wed, 12 Mar 2003 06:00:18 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2CE0IQK083863; Wed, 12 Mar 2003 06:00:18 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2F5837B401 for ; Wed, 12 Mar 2003 05:51:22 -0800 (PST) Received: from vlad.ru (mail.vlad.ru [212.107.220.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A1D243F93 for ; Wed, 12 Mar 2003 05:51:21 -0800 (PST) (envelope-from root@vlad.ru) Received: from root by vlad.ru with local (Exim 4.10) id 18t6da-000FW3-00 for FreeBSD-gnats-submit@freebsd.org; Wed, 12 Mar 2003 23:51:18 +1000 Message-Id: Date: Wed, 12 Mar 2003 23:51:18 +1000 From: Mikhalych Reply-To: Mikhalych To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/49959: ipfw tee port rule skips parsing next rules Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 49959 >Category: bin >Synopsis: ipfw tee port rule skips parsing next rules >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 12 06:00:17 PST 2003 >Closed-Date: >Last-Modified: >Originator: Sergey Mikhalych >Release: FreeBSD 4.7-RELEASE i386 >Organization: OAO Dalsvyaz >Environment: System: FreeBSD mail.vlad.ru 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Sun Nov 24 01:13:21 VLAT 2002 mich@relay.vlad.ru:/usr/src/sys/compile/MAIL i386 >Description: For a traffic count I can copy all packets coming to my network interface xl0 with `ipfw tee` option to some port, for example 8888, after this rule all this packets must be pass next ipfw rules (like `ipfw count` option). Problem: `ipfw tee port` option brakes this order, packets is marked as accepted by rule (like `ipfw allow` option). Example: 00001 143 22387 tee 8888 ip from any to any in recv xl0 00002 120 30373 tee 8888 ip from any to any out xmit xl0 00100 0 0 allow tcp from 212.107.192.0/19 to 212.107.200.82 22 00110 0 0 allow tcp from 212.107.200.82 22 to 212.107.192.0/19 00200 0 0 reset tcp from any to 212.107.200.82 22 00300 0 0 reset tcp from any to 212.107.200.80/28 113 00500 0 0 reset tcp from any to 212.107.200.82 3306 00501 0 0 reset tcp from any to 212.107.200.83 3306 65535 258 35124 allow ip from any to any Telnet to denied 22, 113, 3306 ports is acceptable! Using ipfw tee is unsecure :( >How-To-Repeat: You can try add `tee port` option before any of your rules. >Fix: Add reset/deny rules BEFORE tee option, but this dropped packets will be lost for accounting/copy by tee. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message