From owner-freebsd-security Sat Apr 21 9: 8:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 830C637B422 for ; Sat, 21 Apr 2001 09:08:47 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 30581 invoked by uid 1000); 21 Apr 2001 16:07:10 -0000 Date: Sat, 21 Apr 2001 19:07:10 +0300 From: Peter Pentchev To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: ipfw problem Message-ID: <20010421190709.D458@ringworld.oblivion.bg> Mail-Followup-To: Lee Smallbone , freebsd-security@freebsd.org References: <200104211715.SAA31977@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104211715.SAA31977@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 21, 2001 at 05:02:59PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 21, 2001 at 05:02:59PM +0100, Lee Smallbone wrote: > Hello Peter, > > 21/04/2001 22:54:10, Peter Pentchev wrote: > > >On Sat, Apr 21, 2001 at 04:54:35PM +0100, Lee Smallbone wrote: > >> Hi there, > >> > >> The machine stops booting on either of these two rules, and I have to boot into > >> single user, remove the rules and reboot. What's wrong with them? > >> > >> ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip} > >> > >> I also get the same problem on this rule (in place of the one above): > >> > >> ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip} > > > >Where exactly in the boot process does it 'stop'? What application/program > >is it trying to execute? Or does ipfw itself hang when adding those rules? > > ipfw hangs during boot in trying to add rule 300. Well, I think there's something wrong with the rule itself. Nowhere in the ipfw manpage could I find a syntax for specifying addresses in an address-address format - it's either a single address, or address/bits, or address:mask. Though the fact that ipfw hangs is a little disturbing, I would advise that you rewrite this rule to use proper syntax, though that might be a little tricky - the address range you've specified does not fall under an easy mask :( Do you want to allow 213.46.0.*? If not, then try.. ${fwcmd} add 300 unreach 9 all from 213.46.0.0/18 to ${ip} ${fwcmd} add 301 unreach 9 all from 213.46.64.0/19 to ${ip} ${fwcmd} add 302 unreach 9 all from 213.46.96.0/20 to ${ip} ${fwcmd} add 303 unreach 9 all from 213.46.112.0/21 to ${ip} ${fwcmd} add 303 unreach 9 all from 213.46.120.0/22 to ${ip} (ick!) This would deny everything from 213.46.0.0 to 213.46.123.255. Yes, I know it's ugly. G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message