From jaid@home.com  Tue Jun 27 22:55:05 2000
Return-Path: <jaid@home.com>
Received: from mail.rdc2.mi.home.com (ha1.rdc2.mi.home.com [24.2.68.68])
	by hub.freebsd.org (Postfix) with ESMTP id 9D0DF37B7DC
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 27 Jun 2000 22:54:58 -0700 (PDT)
	(envelope-from jaid@home.com)
Received: from c265-a.home.com ([24.7.242.199]) by mail.rdc2.mi.home.com
          (InterMail vM.4.01.02.17 201-229-119) with ESMTP
          id <20000628055451.TPED9918.mail.rdc2.mi.home.com@c265-a.home.com>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Tue, 27 Jun 2000 22:54:51 -0700
Message-Id: <4.3.1.2.20000628014407.00a9d100@mail>
Date: Wed, 28 Jun 2000 01:52:46 -0400
From: jaid <jaid@home.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: Problem with IPFW; 4.0-RELEASE

>Number:         19557
>Category:       misc
>Synopsis:       Denying more than 10 ports with an 'open' ipfw policy causes numerous 'unfiltered' ports to appear.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 27 23:00:00 PDT 2000
>Closed-Date:    Sat Jun 2 01:25:28 PDT 2001
>Last-Modified:  Sat Jun 02 01:26:47 PDT 2001
>Originator:     jaid
>Release:        FreeBSD 4.0-RELEASE i386
>Organization:
none
>Environment:
 
 	Numerous environments used. The problem is prevelant in all. Pentium Pro, 
 Pentium II, Pentium, Dual Pentium Pro, Dual Pentium II.
 
>Description:
 
          When making use of IPFW and an 'open' policy, denying more than 10 
 ports manually results in hundreds of ports showing up as 'unfiltered' when 
 doing a scan with nmap. All ports can be telnetted to receiving a 
 'connection refused' message. Ten or less ports being denied, and there is 
 no such problem, none of the 'unfiltered' ports show up in nmap scans.
 
>How-To-Repeat:
 
 Compile kernel with ipfw options (IPFIREWALL, IPDIVERT, IPFIREWALL_VERBOSE)
 Set default policy to open via rc.conf (firewall_type="OPEN")
 ipfw add deny tcp from any to any 1-11
 
 
 
>Fix:
 
          Im hoping that you can tell me =)
 
 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: asmodai 
Responsible-Changed-When: Tue Jul 11 02:44:13 PDT 2000 
Responsible-Changed-Why:  
Fix up botched PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19557 
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Sat Jun 2 01:25:28 PDT 2001 
State-Changed-Why:  
I think this is a timing issue for nmap if anything. 

Did you have "log" set on the rules where you denied ports? 
If so the extra delay may have fooled nmap. 

There is certainly no indication of FreeBSD malfunctioning. 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=19557 
>Unformatted:
