From root@vlad.ru  Wed Mar 12 05:51:22 2003
Return-Path: <root@vlad.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A2F5837B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 12 Mar 2003 05:51:22 -0800 (PST)
Received: from vlad.ru (mail.vlad.ru [212.107.220.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8A1D243F93
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 12 Mar 2003 05:51:21 -0800 (PST)
	(envelope-from root@vlad.ru)
Received: from root by vlad.ru with local (Exim 4.10)
	id 18t6da-000FW3-00
	for FreeBSD-gnats-submit@freebsd.org; Wed, 12 Mar 2003 23:51:18 +1000
Message-Id: <E18t6da-000FW3-00@vlad.ru>
Date: Wed, 12 Mar 2003 23:51:18 +1000
From: Mikhalych <root@vlad.ru>
Reply-To: Mikhalych <root@vlad.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipfw tee port rule skips parsing next rules
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         49959
>Category:       bin
>Synopsis:       ipfw tee port rule skips parsing next rules
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    andre
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 12 06:00:17 PST 2003
>Closed-Date:    Fri Aug 27 19:50:43 GMT 2004
>Last-Modified:  Fri Aug 27 19:50:43 GMT 2004
>Originator:     Sergey Mikhalych
>Release:        FreeBSD 4.7-RELEASE i386
>Organization:
OAO Dalsvyaz
>Environment:
System: FreeBSD mail.vlad.ru 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Sun Nov 24 01:13:21 VLAT 2002 mich@relay.vlad.ru:/usr/src/sys/compile/MAIL i386

>Description:
For a traffic count I can copy all packets coming to my network interface xl0 with `ipfw tee` option to some port, for example 8888, after this rule all this packets must be pass next ipfw rules (like `ipfw count` option).

Problem: `ipfw tee port` option brakes this order, packets is marked as accepted by rule (like `ipfw allow` option).

Example:

00001 143 22387 tee 8888 ip from any to any in recv xl0
00002 120 30373 tee 8888 ip from any to any out xmit xl0
00100   0     0 allow tcp from 212.107.192.0/19 to 212.107.200.82 22
00110   0     0 allow tcp from 212.107.200.82 22 to 212.107.192.0/19
00200   0     0 reset tcp from any to 212.107.200.82 22
00300   0     0 reset tcp from any to 212.107.200.80/28 113
00500   0     0 reset tcp from any to 212.107.200.82 3306
00501   0     0 reset tcp from any to 212.107.200.83 3306
65535 258 35124 allow ip from any to any

Telnet to denied 22, 113, 3306 ports is acceptable!
Using ipfw tee is unsecure :(

>How-To-Repeat:
You can try add `tee port` option before any of your rules.

>Fix:
Add reset/deny rules BEFORE tee option, but this dropped packets will be lost for accounting/copy by tee. 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ipfw 
Responsible-Changed-By: johan 
Responsible-Changed-When: Tue May 6 13:42:48 PDT 2003 
Responsible-Changed-Why:  
Over to maintainer group. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=49959 
Responsible-Changed-From-To: ipfw->andre 
Responsible-Changed-By: andre 
Responsible-Changed-When: Tue Aug 24 19:02:55 GMT 2004 
Responsible-Changed-Why:  
Take over. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=49959 
State-Changed-From-To: open->suspended 
State-Changed-By: andre 
State-Changed-When: Fri Aug 27 19:47:29 GMT 2004 
State-Changed-Why:  
See kern/64240 for a solution for FreeBSD -current and 5.3-BETA1. 

FreeBSD 4.x will not be fixed due to complexity.  -current and 5.3 
have a rewritten ipfw attachment which makes fixing this relatively 
easy. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=49959 
State-Changed-From-To: suspended->closed 
State-Changed-By: andre 
State-Changed-When: Fri Aug 27 19:49:36 GMT 2004 
State-Changed-Why:  
Close PR.  Mail to Originator bounces with invalid mailbox. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=49959 
>Unformatted:
