Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Mar 2020 08:25:22 +0000
From:      bugzilla-noreply@freebsd.org
To:        ipfw@FreeBSD.org
Subject:   [Bug 240650] ipfw(8): Check for IPv4 in add_src() and add_dat, don't assume !IPv6 is IPv4
Message-ID:  <bug-240650-8303-O0zvYbew7q@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-240650-8303@https.bugs.freebsd.org/bugzilla/>
References:  <bug-240650-8303@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D240650

O. Hartmann <ohartmann@walstatt.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ohartmann@walstatt.org
              Flags|                            |maintainer-feedback+

--- Comment #5 from O. Hartmann <ohartmann@walstatt.org> ---
This patch has been applied to CURRENT as r358858.

It breaks any rc script on CURRENT > r358858 running IPFW  with "from any t=
o...
" or "from me to ...":

[...] (dual stack, IPv6 and IPv4 in use)

/etc/rc.conf:
[...]
firewall_type=3D"WORKSTATION"
firewall_myservices=3D"22/tcp"
firewall_allowservices=3D"" OR firewall_allowservices=3D"any"
[...]

results in bricked systems:

[...]
 service ipfw restart
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
ipfw: bad source address any
ipfw: bad source address any
00000 check-state :default
ipfw: bad destination address any
ipfw: bad destination address any
ipfw: bad destination address any
ipfw: bad destination address any
ipfw: bad destination address any
01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
ipfw: bad source address any
ipfw: bad source address any
01100 allow udp from fe80::/10 to me 546 in
ipfw: bad source address any
ipfw: bad source address any
ipfw: bad source address any
ipfw: bad source address any
[...]

I think since this is mostly standard rc.conf stuff, the problem can easily
being reproduced.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-240650-8303-O0zvYbew7q>