From nobody@FreeBSD.org  Fri May 19 21:34:19 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A02C116A422
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 19 May 2006 21:34:19 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 615A743D46
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 19 May 2006 21:34:19 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k4JLYJsB018701
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 19 May 2006 21:34:19 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k4JLYJAE018700;
	Fri, 19 May 2006 21:34:19 GMT
	(envelope-from nobody)
Message-Id: <200605192134.k4JLYJAE018700@www.freebsd.org>
Date: Fri, 19 May 2006 21:34:19 GMT
From: Marcelo Machado <marcelo_vt@hotmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: IPFW Rules bug
X-Send-Pr-Version: www-2.3

>Number:         97504
>Category:       kern
>Synopsis:       [ipfw] IPFW Rules bug
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 19 21:40:12 GMT 2006
>Closed-Date:    Wed Aug 04 15:08:22 UTC 2010
>Last-Modified:  Wed Aug 04 15:08:22 UTC 2010
>Originator:     Marcelo Machado
>Release:        6.0
>Organization:
Profit-ti
>Environment:
>Description:
I've added the following rules to the ipfw.rules:


ipfw add 100 allow all from 192.168.100.3 to 192.168.100.4
ipfw add 110 allow all from 192.168.100.4 to 192.168.100.3
ipfw add 65535 deny all from any to any 

With these rules the 192.168.100.3 should ping or interact with 192.168.100.4 normally, but don't. But if I add this line:

ipfw add 1 allow all from any to any

they talk each other normally, but the most problem comes next, if I:

ipfw delete 1

Everything begins to work as they should, only these IP's can talk with each other on the net.

Thanks
>How-To-Repeat:

>Fix:
if I add this line:

ipfw add 1 allow all from any to any

they talk each other normally, but the most problem comes next, if I:

ipfw delete 1

Everything begins to work as they should, only these IP's can talk with each other on the net.
>Release-Note:
>Audit-Trail:

From: Oliver Fromme <olli@lurza.secnetix.de>
To: bug-followup@FreeBSD.org, marcelo_vt@hotmail.com
Cc:  
Subject: Re: amd64/97504: IPFW Rules bug
Date: Sat, 20 May 2006 13:28:29 +0200 (CEST)

 Marcelo Machado <marcelo_vt@hotmail.com> wrote:
  > > Number:         97504
  > > Synopsis:       IPFW Rules bug
  > > [...]
  > I've added the following rules to the ipfw.rules:
  > 
  > ipfw add 100 allow all from 192.168.100.3 to 192.168.100.4
  > ipfw add 110 allow all from 192.168.100.4 to 192.168.100.3
  > ipfw add 65535 deny all from any to any 
  > 
  > With these rules the 192.168.100.3 should ping or interact with
  > 192.168.100.4 normally, but don't. But if I add this line:
  > 
  > ipfw add 1 allow all from any to any
  > 
  > they talk each other normally, but the most problem comes next,
  > if I:
  > 
  > ipfw delete 1
  > 
  > Everything begins to work as they should, only these IP's can talk
  > with each other on the net.
 
 You probably forgot to allow access to/from your DNS server,
 or something similar.  The rule #1 will shortly allow that
 access, and when you delete that rule again, it still works
 because the DNS results are cached.
 
 Best regards
    Oliver
 
 -- 
 Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
 Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
 Any opinions expressed in this message may be personal to the author
 and may not necessarily reflect the opinions of secnetix in any way.
 
 "I made up the term 'object-oriented', and I can tell you
 I didn't have C++ in mind."
         -- Alan Kay, OOPSLA '97

From: "Marcelo Machado" <marcelo_vt@hotmail.com>
To: <bug-followup@FreeBSD.org>
Cc:  
Subject: RE: Re: amd64/97504: IPFW Rules bug
Date: Sat, 20 May 2006 13:12:54 +0000

 --_d6bc2cbb-35e5-41b5-9720-9114e24f7867_
 Content-Type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 Thanks for the assistance Oliver!
 =20
 =20
 But, I have a question, I'm only using IP's and not names, still they look =
 for the DNS?
 =20
 How can I fix it? My firewall is Freebsd 6 and the Dataserver and most of W=
 ebservers are Windows and one Linux.
 =20
 Thanks a Lot!!
 =20
 Best Regards,
 Marcelo
 
 
 _________________________________________________________________
 MSN Busca: f=E1cil, r=E1pido, direto ao ponto.=20
 http://search.msn.com.br=
 
Responsible-Changed-From-To: freebsd-amd64->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jun 14 09:15:26 UTC 2006 
Responsible-Changed-Why:  
This does not sound amd64-specific. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=97504 

From: Oliver Fromme <olli@lurza.secnetix.de>
To: bug-followup@FreeBSD.org, freebsd-ipfw@FreeBSD.org,
        marcelo_vt@hotmail.com (Marcelo Machado)
Cc:  
Subject: Re: kern/97504: [ipfw] IPFW Rules bug
Date: Wed, 4 Aug 2010 15:38:13 +0200 (CEST)

 Hello Marcelo,
 
 I just stumbled across this old PR which is still open.
 Apparently the problem was caused by missing DNS access,
 not a bug in IPFW itself.  Note that DNS queries often
 happen "behind the scenes".  Even if you use IP numbers
 only, many programs will try to perform reverse-lookup.
 
 Do you agree that the PR can be closed?
 
 Best regards
    Oliver
 
 -- 
 Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
 Handelsregister: Registergericht Muenchen, HRA 74606,  Geschftsfuehrung:
 secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mn-
 chen, HRB 125758,  Geschftsfhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart
 
 FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd
 
 C++: "an octopus made by nailing extra legs onto a dog"
         -- Steve Taylor, 1998
State-Changed-From-To: open->closed 
State-Changed-By: olli 
State-Changed-When: Wed Aug 4 15:07:12 UTC 2010 
State-Changed-Why:  
According to the originator, this PR can be closed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=97504 
>Unformatted:
