From owner-freebsd-bugs@FreeBSD.ORG  Sat Mar 27 02:20:13 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ADE9D16A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 27 Mar 2004 02:20:13 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A568B43D2D
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 27 Mar 2004 02:20:13 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i2RAKDbv079583	for <freebsd-bugs@freefall.freebsd.org>;
	Sat, 27 Mar 2004 02:20:13 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2RAKDHl079582;
	Sat, 27 Mar 2004 02:20:13 -0800 (PST)
	(envelope-from gnats)
Date: Sat, 27 Mar 2004 02:20:13 -0800 (PST)
Message-Id: <200403271020.i2RAKDHl079582@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: "Grant Millar" <Co0lkizz@btinternet.com>
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Grant Millar <Co0lkizz@btinternet.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Mar 2004 10:20:13 -0000

The following reply was made to PR misc/64694; it has been noted by GNATS.

From: "Grant Millar" <Co0lkizz@btinternet.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <co0lkizz@btinternet.com>
Cc:  
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Sat, 27 Mar 2004 10:14:16 -0000

 My current network configuration I have kept simple to ensure that this
 could not
 be a problem. 66.X.X.2 is an alias of fxp0,
 
 defaultrouter="66.X.X.225"
 hostname="uneix.com"
 ifconfig_fxp0="inet 66.X.X.236  netmask 255.255.255.224"
 ifconfig_fxp0_alias0="inet 66.X.X.2  netmask 255.255.255.255"
 firewall_enable="YES"
 kern_securelevel_enable="NO"
 linux_enable="YES"
 nfs_reserved_port_only="YES"
 sendmail_enable="YES"
 sshd_enable="YES"
 usbd_enable="YES"
 
 ifconfig shows this to be working correctly,
 uneix# ifconfig
 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         inet 66.90.89.236 netmask 0xffffffe0 broadcast 66.90.89.255
         inet6 fe80::250:8bff:fe67:da46%fxp0 prefixlen 64 scopeid 0x1
 	  inet 66.X.X.2 netmask 0xffffffff broadcast 66.X.X.2
 
 Also traffic gets through if I take out the uid,
 uneix# ipfw sh
 00100     64      6804 allow tcp from 66.X.X.2 to any
 00200     88      5152 allow tcp from any to 66.X.X.2
 00300      0         0 deny tcp from 66.X.X.2 to any
 65535 336537 151671807 allow ip from any to any
 
 httpd     208  root   16u  IPv4 0xdcd94dc0      0t0  TCP *:http (LISTEN)
 sshd      134  root    4u  IPv4 0xdcd8ae00      0t0  TCP *:ssh (LISTEN)
                ^^^^ sshd & httpd are listening on a root socket.
 
 Just to make sure this is not the problem the user we want to ssh with
 is added,
 uneix# ipfw sh
 00100      0         0 allow tcp from 66.X.X.2 to any uid root
 00110      0         0 allow tcp from 66.X.X.2 to any uid admin
 00200     93      5392 allow tcp from any to 66.X.X.2
 00300      5       220 deny tcp from 66.X.X.2 to any
 65535 338579 151962909 allow ip from any to any
 
 As you can see it is still denying the packets from both http and ssh.
 
 Grant