From bernd@heitec.net  Tue Oct  3 23:24:47 2000
Return-Path: <bernd@heitec.net>
Received: from heitec.net (paladin.heitec.net [193.101.232.30])
	by hub.freebsd.org (Postfix) with ESMTP id 7513937B503
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  3 Oct 2000 23:24:46 -0700 (PDT)
Received: (from root@localhost)
	by  heitec.net (8.11.0/8.11.0) id e946OuW00627;
	Wed, 4 Oct 2000 08:24:56 +0200 (CEST)
	(envelope-from bernd)
Message-Id: <200010040624.e946OuW00627@ heitec.net>
Date: Wed, 4 Oct 2000 08:24:56 +0200 (CEST)
From: bdluevel@heitec.net
Sender: bernd@heitec.net
Reply-To: bdluevel@heitec.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: 'ipfw add' does not check the protocol name
X-Send-Pr-Version: 3.2

>Number:         21742
>Category:       bin
>Synopsis:       'ipfw add' does not check the protocol name
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 03 23:30:00 PDT 2000
>Closed-Date:    Wed Oct 4 01:02:59 PDT 2000
>Last-Modified:  Wed Oct 04 01:12:39 PDT 2000
>Originator:     Bernd Luevelsmeyer
>Release:        FreeBSD 4.1.1-STABLE i386
>Organization:
Heitec AG
>Environment:

    FreeBSD 4.1.1-STABLE #5: Mon Oct  2 00:14:43 CEST 2000

>Description:

	If you add a IPFW rule to pass TCP traffic to port 'echo',
    then port 4 will be allowed instead of port 7; apparently,
    because there's an 'echo' with port 4 in /etc/services.
    That's only protocol 'ddp' though, hence I assume 'ipfw add'
    does not check the protocol if looking up port names.

>How-To-Repeat:

    #ipfw list
    00100 allow ip from any to any
    65535 deny ip from any to any
    #ipfw add pass tcp from any to any echo
    00000 allow tcp from any to any 4
    #ipfw list
    00100 allow ip from any to any
    00200 allow tcp from any to any 4
    65535 deny ip from any to any
    #grep echo /etc/services
    echo		  4/ddp	   #AppleTalk Echo Protocol
    echo		  7/tcp
    echo		  7/udp
    at-echo		204/tcp	   #AppleTalk Echo			
    at-echo		204/udp	   #AppleTalk Echo			

>Fix:

	Workaround: use port numbers only when specifying firewall
    rules, not port names.


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Wed Oct 4 01:02:59 PDT 2000 
State-Changed-Why:  
Fixed in src/sbin/ipfw/ipfw.c, 
revisions 1.93 (5.0-CURRENT) and 1.80.2.5 (4.1.1-STABLE). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21742 
>Unformatted:
