From steve@portal.megahack.com  Sat Feb  3 12:37:42 2001
Return-Path: <steve@portal.megahack.com>
Received: from linux.intcon.net (linux.intcon.net [206.230.48.2])
	by hub.freebsd.org (Postfix) with ESMTP id 8F95737B503
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  3 Feb 2001 12:37:41 -0800 (PST)
Received: from portal.megahack.com (portal.megahack.com [206.230.54.106])
	by linux.intcon.net (8.11.0/8.11.0) with ESMTP id f13KbdZ10064
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 3 Feb 2001 14:37:39 -0600
Received: (from steve@localhost)
	by portal.megahack.com (8.11.2/8.11.2) id f13KbbK02047;
	Sat, 3 Feb 2001 14:37:37 -0600 (CST)
	(envelope-from steve)
Message-Id: <200102032037.f13KbbK02047@portal.megahack.com>
Date: Sat, 3 Feb 2001 14:37:37 -0600 (CST)
From: steve@megahack.com
Reply-To: steve@megahack.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw check-state broken 
X-Send-Pr-Version: 3.2

>Number:         24833
>Category:       misc
>Synopsis:       after cvsup + rebuild, ipfw "check-state" does not work
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 03 12:40:02 PST 2001
>Closed-Date:    Tue Feb 6 23:57:54 PST 2001
>Last-Modified:  Tue Feb 06 23:59:04 PST 2001
>Originator:     Steven Farmer
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
you kidding?
>Environment:

	


>Description:

After cvsup, make buildworld/buildkernel/installkernel/installworld on
3 Feb 2001, ipfw "check-state" keyword appears to do nothing.  The relevant
lines from my firewall rules file:

	add check-state
	add deny tcp from any to any established
	add pass tcp from 10.0.0.0/8 to any setup keep-state
	add pass udp from 10.0.0.0/8 to any 53,123 keep-state
	add pass icmp from 10.0.0.0/8 to any icmptype 8 keep-state

Now the "deny tcp from any to any established" rule blocks all tcp packets,
even those associated with the "keep-state" rules.

>How-To-Repeat:

cvsup and rebuild, use ipfw rules similar to those above.

>Fix:

Temporarily move the "deny tcp from any to any established rule" *after*
the "keep-state" rules.

>Release-Note:
>Audit-Trail:

From: Bernd Luevelsmeyer <bdluevel@heitec.net>
To: freebsd-gnats-submit@FreeBSD.org, steve@megahack.com
Cc:  
Subject: Re: misc/24833: after cvsup + rebuild, ipfw "check-state" does not work
Date: Sat, 03 Feb 2001 22:30:20 +0100

 I've got 4.2-Stable on a PentiumII updated just now. I found that with
 these rules ('ipfw list' output):
   00100 allow tcp from any to any established
   65535 deny ip from any to any
 anyone can telnet or ftp into the machine or out of it. Essentially, I
 think 'established' matches packets having the SYNC flag, in addition to
 those having ACK or RST.
 
 May I ask that this bug has its "Severity" increased, because this will
 break many firewalls IMO. A "allow tcp from any to any established" will
 render any later tcp 'deny' rule useless.
 

From: Bernd Luevelsmeyer <bdluevel@heitec.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc: steve@megahack.com, Warner Losh <imp@harmony.village.org>
Subject: Re: misc/24833: after cvsup + rebuild, ipfw "check-state" does not work
Date: Sun, 04 Feb 2001 02:29:15 +0100

 I'm not familiar with the FreeBSD sources so I might be wrong, but
 this is how I understand it:
 
 It's the change in /usr/src/sys/netinet/ip_fw.c from version
 1.131.2.12 to 1.131.2.13, around line 1221.
  if (((f->fw_tcpf != f->fw_tcpnf) ||
     (f->fw_ipflg & IP_FW_IF_TCPEST))  &&
     !tcpflg_match(tcp, f))
 was replaced by
  if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f))
 
 The 'established' flag is in fw_ipflg. It's handled in tcpflg_match(),
 but since the test for fw_ipflg is gone, tcpflg_match() doesn't get
 a chance anymore to do the established-thing if fw_tcpf==fw_tcpnf ,
 which (I assume) indicates TCP-flags are not used in the particular
 rule.
 The problem is IMHO that 'established' is a TCP property but not a
 TCP flag.
 
 Re-inserting the previous condition seems to work for me. This is a
 patch against 1.131.2.13:
 --- .vimbk/ip_fw.c.vimbk        Fri Feb  2 15:05:48 2001
 +++ ip_fw.c     Sun Feb  4 02:07:53 2001
 @@ -1222,7 +1222,9 @@
 
                         if (f->fw_tcpopt != f->fw_tcpnopt && !tcpopts_match(tcp, f))
                                 continue;
 -                       if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f))
 +            if (((f->fw_tcpf != f->fw_tcpnf) ||
 +                        (f->fw_ipflg & IP_FW_IF_TCPEST))  &&
 +                    !tcpflg_match(tcp, f))
                                 continue;
                         goto check_ports;
                     }
 
State-Changed-From-To: open->closed 
State-Changed-By: rwatson 
State-Changed-When: Tue Feb 6 23:57:54 PST 2001 
State-Changed-Why:  

The problem is believed to be resolved as of ip_fw.c:1.131.2.14, and 
the originators of the PR have confirmed that it resolves the problems 
they have been experiencing.  An updated security advisory is due to 
be released shortly. 



http://www.freebsd.org/cgi/query-pr.cgi?pr=24833 
>Unformatted:
