From owner-freebsd-bugs@FreeBSD.ORG Sat Mar 27 02:50:17 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4342116A4CE for ; Sat, 27 Mar 2004 02:50:17 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2743E43D31 for ; Sat, 27 Mar 2004 02:50:17 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i2RAoHbv080519 for ; Sat, 27 Mar 2004 02:50:17 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2RAoHXp080517; Sat, 27 Mar 2004 02:50:17 -0800 (PST) (envelope-from gnats) Date: Sat, 27 Mar 2004 02:50:17 -0800 (PST) Message-Id: <200403271050.i2RAoHXp080517@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: "Grant Millar" Subject: Re: misc/64694: UID/GID matching in ipfw non-functional X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Grant Millar List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Mar 2004 10:50:17 -0000 The following reply was made to PR misc/64694; it has been noted by GNATS. From: "Grant Millar" To: , Cc: Subject: Re: misc/64694: UID/GID matching in ipfw non-functional Date: Sat, 27 Mar 2004 10:46:10 -0000 Also to test this further the following rules were implemented; uneix# ipfw sh 00100 57 6148 allow tcp from 66.90.98.2 to any uid root 00110 0 0 allow tcp from 66.90.98.2 to any uid admin 00210 76 4560 allow tcp from any to 66.90.98.2 65535 343883 152658276 allow ip from any to any As you can see without the deny ssh is getting through on the uid root rule, When we add the deny rule; uneix# ipfw sh 00100 57 6148 allow tcp from 66.90.98.2 to any uid root 00110 0 0 allow tcp from 66.90.98.2 to any uid admin 00210 83 4880 allow tcp from any to 66.90.98.2 00310 5 220 deny tcp from 66.90.98.2 to any 65535 344754 152866998 allow ip from any to any Lets see what the logs say by implementing the following rules, uneix# ipfw sh 00100 0 0 allow log tcp from 66.90.98.2 to any uid root 00200 0 0 allow log tcp from 66.90.98.2 to any uid admin 00300 6 288 allow tcp from any to 66.90.98.2 00400 6 264 deny log tcp from 66.90.98.2 to any 65535 346401 153038817 allow ip from any to any Mar 27 10:37:18 uneix /kernel: ipfw: 400 Deny TCP 66.90.98.2:22 81.128.227.64:22802 out via fxp0 Mar 27 10:37:27 uneix last message repeated 2 times Mar 27 10:38:19 uneix /kernel: ipfw: 400 Deny TCP 66.90.98.2:80 81.128.227.64:22803 out via fxp0 Mar 27 10:38:28 uneix last message repeated 2 times Just shows that all packets are being denied. When the uid is taken out, uneix# ipfw sh 00100 59 3620 allow tcp from any to 66.90.98.2 00200 40 5196 allow log tcp from 66.90.98.2 to any 00300 0 0 deny log tcp from 66.90.98.2 to any 65535 347770 153146748 allow ip from any to any Mar 27 10:41:33 uneix /kernel: ipfw: 200 Accept TCP 66.90.98.2:22 81.128.227.64:22804 out via fxp0 Mar 27 10:41:51 uneix last message repeated 39 times The packets are accepted. Here is the ssh socket showing it owned by root; sshd 4722 root 5u IPv4 0xdcd94940 0t0 TCP 66.90.98.2:ssh->host81-128-227-64.inaddr.btopenworld.com:22804 (ESTABLISHED) Grant