From gnats@FreeBSD.org  Tue Feb  5 11:43:43 2008
Return-Path: <gnats@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 018BC16A419
	for <freebsd-gnats-submit@hub.freebsd.org>; Tue,  5 Feb 2008 11:43:43 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id E6A3213C458
	for <freebsd-gnats-submit@hub.freebsd.org>; Tue,  5 Feb 2008 11:43:42 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m15BhgBx041261
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 5 Feb 2008 11:43:42 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m15Bhgqn041260;
	Tue, 5 Feb 2008 11:43:42 GMT
	(envelope-from gnats)
Message-Id: <200802051143.m15Bhgqn041260@freefall.freebsd.org>
Date: Tue, 5 Feb 2008 11:43:42 GMT
From: Marius Nistor <mariusmayl@yahoo.com>
To: FreeBSD-gnats-submit@FreeBSD.org
Subject: ipfw jump rules
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         120290
>Category:       kern
>Synopsis:       ipfw jump rules
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 05 11:50:02 UTC 2008
>Closed-Date:    Tue Feb 05 11:52:20 UTC 2008
>Last-Modified:  Wed Feb  6 05:50:01 UTC 2008
>Originator:     Marius Nistor
>Release:        FreeBSD 6.2 release
>Organization:
myshells.eu
>Environment:
FreeBSD localhost 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Sun Jan 20 00:57:36 EET 2008     root@mySHELLS.eu:/usr/src/sys/i386/compile/mySHELLS  i386

>Description:
hi

i create private ip's type :
10164 allow ip from 193.64.7.151 to any uid net
10165 allow ip from any to 193.64.7.151
10166 allow tcp from 193.64.7.151 10000-65535,21,22,25,80,110,113,443 to any
10167 deny ip from 193.64.7.151 to any
so that means every one can connect to the ip on specified ports ... but
to use the ip on internet only uid net can do that .....

the problem is : ipfw jump rules lie :
[11:09:54 root@localhost ~]# ipfw show
10164      0        0 allow ip from 193.64.7.151 to any uid net
10165     21     5166 allow ip from any to 193.64.7.151
10166     23     1213 allow tcp from 193.64.7.151 10000-65535,21,22,25,80,110,113,443 to any
10167      0        0 deny ip from 193.64.7.151 to any
65535 989179 91977108 allow ip from any to any
[11:09:56 root@localhost ~]#
so rule 10164 and 10167 not used
i tryed 10166 allow tcp from 193.64.7.151
10000-65535,21,22,25,80,110,113,443 to any uid net ... but the ip is go
on internet without oidentd support 

is any way to have a help on that ? i tryed 2 days allw ays and i think
is a ipfw bug for jumping rules, because on freebsd 4 and 5 was working fine
thank you
Marius Nistor
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Tue Feb 5 11:52:20 UTC 2008 
State-Changed-Why:  
Like i said on the IRC channel you joined this morning, please ask on 
the ipfw@ mailinglist, this is not suited for a PR yet (imo). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120290 

From: Nistor Marius <mariusmayl@yahoo.com>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: kern/120290: ipfw jump rules
Date: Tue, 5 Feb 2008 03:52:12 -0800 (PST)

 --0-1952569843-1202212332=:57582
 Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: 8bit
 
 hi.
   the problem is .. is any patch for that?
   thank you
   Marius Nistor
   
 
 FreeBSD-gnats-submit@FreeBSD.org wrote:
   Thank you very much for your problem report.
 It has the internal identification `kern/120290'.
 The individual assigned to look at your
 report is: freebsd-bugs. 
 
 You can access the state of your problem report at any time
 via this link:
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=120290
 
 >Category: kern
 >Responsible: freebsd-bugs
 >Synopsis: ipfw jump rules
 >Arrival-Date: Tue Feb 05 11:50:02 UTC 2008
 
 
        
 ---------------------------------
 Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
 --0-1952569843-1202212332=:57582
 Content-Type: text/html; charset=iso-8859-1
 Content-Transfer-Encoding: 8bit
 
 <div>hi.</div>  <div>the problem is .. is any patch for that?</div>  <div>thank you</div>  <div>Marius Nistor</div>  <div><BR><BR><B><I>FreeBSD-gnats-submit@FreeBSD.org</I></B> wrote:</div>  <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">Thank you very much for your problem report.<BR>It has the internal identification `kern/120290'.<BR>The individual assigned to look at your<BR>report is: freebsd-bugs. <BR><BR>You can access the state of your problem r eport at any time<BR>via this link:<BR><BR>http://www.freebsd.org/cgi/query-pr.cgi?pr=120290<BR><BR>&gt;Category: kern<BR>&gt;Responsible: freebsd-bugs<BR>&gt;Synopsis: ipfw jump rules<BR>&gt;Arrival-Date: Tue Feb 05 11:50:02 UTC 2008<BR></BLOCKQUOTE><BR><p>&#32;
       <hr size=1>Be a better friend, newshound, and 
 know-it-all with Yahoo! Mobile. <a href="http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ "> Try it now.</a>
 --0-1952569843-1202212332=:57582--

From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Marius Nistor <mariusmayl@yahoo.com>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/120290: ipfw jump rules
Date: Tue, 05 Feb 2008 17:11:02 +0300

 Marius Nistor wrote:
 > [11:09:54 root@localhost ~]# ipfw show
 > 10164      0        0 allow ip from 193.64.7.151 to any uid net
 > 10165     21     5166 allow ip from any to 193.64.7.151
 > 10166     23     1213 allow tcp from 193.64.7.151 10000-65535,21,22,25,80,110,113,443 to any
 > 10167      0        0 deny ip from 193.64.7.151 to any
 > 65535 989179 91977108 allow ip from any to any
 > [11:09:56 root@localhost ~]#
 > so rule 10164 and 10167 not used
 > i tryed 10166 allow tcp from 193.64.7.151
 > 10000-65535,21,22,25,80,110,113,443 to any uid net ... but the ip is go
 > on internet without oidentd support 
 
 Do you have any processes which deal with TCP/UDP with user's
 "net" credentials?
 
 -- 
 WBR, Andrey V. Elsukov

From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: Nistor Marius <mariusmayl@yahoo.com>
Subject: Re: kern/120290: ipfw jump rules
Date: Wed, 06 Feb 2008 08:45:14 +0300

 Nistor Marius wrote:
 > no i open ports ... just inc ase if the user need that ports open to 
 > don't open a support ticket for that
 > the problem is ... i use this way from last few years ago on FreeBSD 4.X 
 > and 5.X and was working fine
 > on freebsd 6.X no
 > i think the ipfwadmin miss the number of rules and jump the rules
 
 Hi, Marius.
 
 I'm sorry. My English isn't very good. Did you right understand
 what do these rules? I'll try a bit more describe they:
 
 10164 allow ip from 193.64.7.151 to any uid net
 This rule match all TCP or UDP packets from 193.64.7.151 to any, which
 will be sent or received by processes witch works as user "net"
 on your machine. E.g. you can run a web-server as user "net" and some
 packets will be matched by this rule (if they will be from
 193.64.7.151 to any).
 
 10165 allow ip from any to 193.64.7.151
 This rule match all IP packets from any addresses to 193.64.7.151.
 
 10166 allow tcp from 193.64.7.151 10000-65535,21,22,25,80,110,113,443 
 to any
 This rule will be match packets for source address 193.64.7.151 and 
 source ports 10000-65535,21,22,25,80,110,113,443 destined to any
 addresses and ports. It will not match packets if they already
 matched by rule 10164, because "allow" action terminates search.
 
 10167 deny ip from 193.64.7.151 to any
 This rule will deny packets that didn't match rules 10164 and 10166.
 
 Did you want the same?
 
 -- 
 WBR, Andrey V. Elsukov
>Unformatted:
