From owner-freebsd-bugs@FreeBSD.ORG  Fri Mar 26 11:30:39 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B303916A4EB
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 26 Mar 2004 11:30:39 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A2DAD43D53
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 26 Mar 2004 11:30:33 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i2QJUXbv068075	for <freebsd-bugs@freefall.freebsd.org>;
	Fri, 26 Mar 2004 11:30:33 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2QJUXfZ068074;
	Fri, 26 Mar 2004 11:30:33 -0800 (PST)
	(envelope-from gnats)
Date: Fri, 26 Mar 2004 11:30:33 -0800 (PST)
Message-Id: <200403261930.i2QJUXfZ068074@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Maxim Konovalov <maxim@macomnet.ru>
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Maxim Konovalov <maxim@macomnet.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2004 19:30:40 -0000

The following reply was made to PR misc/64694; it has been noted by GNATS.

From: Maxim Konovalov <maxim@macomnet.ru>
To: Grant Millar <co0lkizz@btinternet.com>
Cc: bug-followup@freebsd.org
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Fri, 26 Mar 2004 22:29:39 +0300 (MSK)

 On Thu, 25 Mar 2004, 02:39-0800, Grant Millar wrote:
 
 [...]
 > >Description:
 >       When adding the following rules uid matching on ipfw is totally
 > ignored as we can see no packets are getting through on the ip with
 > uid maching enabled, packets are allowed in but not out.
 >
 > 00100     3     144 allow tcp from any to 66.X.X.2
 > 00200     0       0 allow tcp from 66.X.X.2 to any uid root
 > 00300     3     132 deny tcp from 66.X.X.2 to any
 > 65535 28440 2522637 allow ip from any to any
 >
 > Clearly you can see this is a substantial problem as now we cannot
 > restrict access to ip's which could cause problems, i've also tried to
 > solve this problem by upgrading to 5.2.1-RELEASE but had exactly the
 > same problem.
 
 Are you sure the traffic from 66.X.X.2 is coming to a socket owned by
 root?  Moreover uid matching working for me on 5.2-CURRENT:
 
 # ipfw sh 8000
 08000    39    7626 count tcp from 195.128.64.0/24 to any uid maxim
 08000     2     168 count tcp from 195.128.64.0/24 to any uid root
 # sleep 10 && ipfw sh 8000
 08000   397   83906 count tcp from 195.128.64.0/24 to any uid maxim
 --------------^^^^^ my ssh session
 
 08000     2     168 count tcp from 195.128.64.0/24 to any uid root
 
 -- 
 Maxim Konovalov