ipfw uid/gid to match listening TCP sockets?
- From: Yar Tikhiy <yar@xxxxxxxxxxxxxxxx>
- Date: Mon, 7 Apr 2008 12:14:00 +0400
Hi there,
Our ipfw currently doesn't seem to match this host's traffic by
uid/gid if the traffic goes to a listening TCP socket. E.g., if
one tries to allow passive data connections to a local anonymous
FTP server as follows, it won't work:
ipfw add 10000 allow tcp from any to me dst-port 49152-65535 uid ftp in keep-state
This behaviour is obvious from ip_fw2.c:
2009 if (proto == IPPROTO_TCP) {
2010 wildcard = 0;
2011 pi = &tcbinfo;
2012 } else if (proto == IPPROTO_UDP) {
2013 wildcard = INPLOOKUP_WILDCARD;
2014 pi = &udbinfo;
2015 } else
2016 return 0;
I.e., it is OK for UDP to match PCBs (essentially sockets) with a
wildcard foreign (remote) address, but not for TCP.
I wonder if there will be any security or whatever issues if the
wildcard flag is set for TCP, too. The only peculiarity I can see
now is that listening sockets shouldn't generate outbound traffic;
as soon a 3-way handshake starts, a separate PCB is created. Thus
a listening socket can match inbound packets only.
Are there any other points I missed? Thanks!
--
Yar
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: ipfw uid/gid to match listening TCP sockets?
- From: Robert Watson
- Re: ipfw uid/gid to match listening TCP sockets?
- Prev by Date: arplookup 10.0.0.68 failed: host is not on local network
- Next by Date: Re: Initialising networking protocol
- Previous by thread: arplookup 10.0.0.68 failed: host is not on local network
- Next by thread: Re: ipfw uid/gid to match listening TCP sockets?
- Index(es):
Relevant Pages
|
