Date: Fri, 26 Mar 2004 11:30:33 -0800 (PST) From: Maxim Konovalov <maxim@macomnet.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/64694: UID/GID matching in ipfw non-functional Message-ID: <200403261930.i2QJUXfZ068074@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/64694; it has been noted by GNATS. From: Maxim Konovalov <maxim@macomnet.ru> To: Grant Millar <co0lkizz@btinternet.com> Cc: bug-followup@freebsd.org Subject: Re: misc/64694: UID/GID matching in ipfw non-functional Date: Fri, 26 Mar 2004 22:29:39 +0300 (MSK) On Thu, 25 Mar 2004, 02:39-0800, Grant Millar wrote: [...] > >Description: > When adding the following rules uid matching on ipfw is totally > ignored as we can see no packets are getting through on the ip with > uid maching enabled, packets are allowed in but not out. > > 00100 3 144 allow tcp from any to 66.X.X.2 > 00200 0 0 allow tcp from 66.X.X.2 to any uid root > 00300 3 132 deny tcp from 66.X.X.2 to any > 65535 28440 2522637 allow ip from any to any > > Clearly you can see this is a substantial problem as now we cannot > restrict access to ip's which could cause problems, i've also tried to > solve this problem by upgrading to 5.2.1-RELEASE but had exactly the > same problem. Are you sure the traffic from 66.X.X.2 is coming to a socket owned by root? Moreover uid matching working for me on 5.2-CURRENT: # ipfw sh 8000 08000 39 7626 count tcp from 195.128.64.0/24 to any uid maxim 08000 2 168 count tcp from 195.128.64.0/24 to any uid root # sleep 10 && ipfw sh 8000 08000 397 83906 count tcp from 195.128.64.0/24 to any uid maxim --------------^^^^^ my ssh session 08000 2 168 count tcp from 195.128.64.0/24 to any uid root -- Maxim Konovalov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403261930.i2QJUXfZ068074>