Date: Sat, 21 Apr 2001 19:07:10 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Lee Smallbone <lee@kechara.net> Cc: freebsd-security@freebsd.org Subject: Re: ipfw problem Message-ID: <20010421190709.D458@ringworld.oblivion.bg> In-Reply-To: <200104211715.SAA31977@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 21, 2001 at 05:02:59PM %2B0100 References: <200104211715.SAA31977@mailgate.kechara.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 21, 2001 at 05:02:59PM +0100, Lee Smallbone wrote:
> Hello Peter,
>
> 21/04/2001 22:54:10, Peter Pentchev <roam@orbitel.bg> wrote:
>
> >On Sat, Apr 21, 2001 at 04:54:35PM +0100, Lee Smallbone wrote:
> >> Hi there,
> >>
> >> The machine stops booting on either of these two rules, and I have to boot into
> >> single user, remove the rules and reboot. What's wrong with them?
> >>
> >> ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip}
> >>
> >> I also get the same problem on this rule (in place of the one above):
> >>
> >> ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip}
> >
> >Where exactly in the boot process does it 'stop'? What application/program
> >is it trying to execute? Or does ipfw itself hang when adding those rules?
>
> ipfw hangs during boot in trying to add rule 300.
Well, I think there's something wrong with the rule itself. Nowhere in
the ipfw manpage could I find a syntax for specifying addresses in
an address-address format - it's either a single address, or address/bits,
or address:mask. Though the fact that ipfw hangs is a little disturbing,
I would advise that you rewrite this rule to use proper syntax, though
that might be a little tricky - the address range you've specified does
not fall under an easy mask :(
Do you want to allow 213.46.0.*? If not, then try..
${fwcmd} add 300 unreach 9 all from 213.46.0.0/18 to ${ip}
${fwcmd} add 301 unreach 9 all from 213.46.64.0/19 to ${ip}
${fwcmd} add 302 unreach 9 all from 213.46.96.0/20 to ${ip}
${fwcmd} add 303 unreach 9 all from 213.46.112.0/21 to ${ip}
${fwcmd} add 303 unreach 9 all from 213.46.120.0/22 to ${ip}
(ick!)
This would deny everything from 213.46.0.0 to 213.46.123.255. Yes, I know
it's ugly.
G'luck,
Peter
--
Do you think anybody has ever had *precisely this thought* before?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010421190709.D458>