From owner-freebsd-stable  Fri Nov 14 16:22:48 1997
Return-Path: <owner-freebsd-stable>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id QAA15497
          for stable-outgoing; Fri, 14 Nov 1997 16:22:48 -0800 (PST)
          (envelope-from owner-freebsd-stable)
Received: from mail.san.rr.com (san.rr.com [204.210.0.1])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA15486
          for <FreeBSD-Stable@FreeBSD.ORG>; Fri, 14 Nov 1997 16:22:39 -0800 (PST)
          (envelope-from studded@san.rr.com)
Received: (from studded@localhost)
	by mail.san.rr.com (8.8.7/8.8.7) id QAA02869;
	Fri, 14 Nov 1997 16:21:29 -0800 (PST)
Message-Id: <199711150021.QAA02869@mail.san.rr.com>
From: "Studded" <Studded@dal.net>
To: "Alex Nash" <nash@Mcs.Net>
Cc: "FreeBSD Stable List" <FreeBSD-Stable@FreeBSD.ORG>
Date: Fri, 14 Nov 97 16:21:18 -0800
Reply-To: "Studded" <Studded@dal.net>
Priority: Normal
X-Mailer: PMMail 1.95a For OS/2
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: Serious problem with ipfw in 11/10 Snap
Sender: owner-freebsd-stable@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 14 Nov 1997 08:34:54 -0600 (CST), Alex Nash wrote:

>This code hasn't changed on the 2.2 branch since August 23.  The same
>code that's in 2.2.5 is in the 11/10 snap (that you claim is broken) and
>the 11/11 snap (that you claim is fixed).

	Ok, I'll take your word for that, but I'm still at a loss as to
how the problem could have occurred.  FWIW, I rm -r /usr/obj/* and
/usr/src/* before I make the world, then ftp the ...-SNAP/src/* tree to
make sure I've got everything fresh.  If you're telling me the code hasn't
changed, then something else has either changed, or is vulnerable to
change, since I used the same procedures I always do.  

	More detail on the problem in case it's useful.  

1.  The rule appeared as 00000 deny ip from any to any
2.  That rule, and only that rule persisted after a flush.
3.  IPFW was able to load my usual (well-tested) rc.firewall script just
fine, but none of the rules in it mattered because the 00000 rule was
always parsed first. 

	Please understand, I'm not trying to point the finger of blame at
anyone.  I simply would like to be sure that this problem can't take
anyone else by surprise.  

Thanks for your time,

Doug

*** Proud operator, designer and maintainer of the  world's largest
*** Internet Relay Chat server. 4,168 clients and still growing. :-)
*** Try spider.dal.net on ports 6662-4    (Powered by FreeBSD)
***		Part of the DALnet IRC network		***