Re: ipfw uid/gid to match listening TCP sockets?


On Mon, 7 Apr 2008, Yar Tikhiy wrote:

Our ipfw currently doesn't seem to match this host's traffic by uid/gid if the traffic goes to a listening TCP socket. E.g., if one tries to allow passive data connections to a local anonymous FTP server as follows, it won't work:

ipfw add 10000 allow tcp from any to me dst-port 49152-65535 uid ftp in keep-state

This behaviour is obvious from ip_fw2.c:

2009 if (proto == IPPROTO_TCP) {
2010 wildcard = 0;
2011 pi = &tcbinfo;
2012 } else if (proto == IPPROTO_UDP) {
2013 wildcard = INPLOOKUP_WILDCARD;
2014 pi = &udbinfo;
2015 } else
2016 return 0;

I.e., it is OK for UDP to match PCBs (essentially sockets) with a wildcard foreign (remote) address, but not for TCP.

I wonder if there will be any security or whatever issues if the wildcard flag is set for TCP, too. The only peculiarity I can see now is that listening sockets shouldn't generate outbound traffic; as soon a 3-way handshake starts, a separate PCB is created. Thus a listening socket can match inbound packets only.

Are there any other points I missed? Thanks!

None of this code really makes very much sense anyway, and is vulnerable to a number of races and semantic inconsistencies, not to mention application behavior that confuses it (such as sshd's opening forwarded sockets using a privileged credential). I'm not sure I agree with your analysis that listen sockets don't generate packets, btw: the syncache generates packets that are not yet from a specific socket, so arguably they are from the listen socket. All that said, I don't see any reason not to match listen sockets in the pcb lookup here.

Be aware that uid/gid/jail rules may become less maintainable as our TCP locking becomes more mature. We already jump through some uncomfortable hoops to keep it working, but I'm not sure how long that can go on.

Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Http server implementation for Windows Media Server
    ... On that level that already extra raw data even not ... similar problem applies to me as would happen with raw sockets. ... I'm assuming you are using a raw TCP ... the packets aren't ACKed because ...
    (microsoft.public.win32.programmer.networks)
  • Re: ipfw uid/gid to match listening TCP sockets?
    ... the traffic goes to a listening TCP socket. ... it is OK for UDP to match PCBs (essentially sockets) with a wildcard ... match inbound packets only. ...
    (freebsd-net)
  • Semantics of SO_REUSEADDR and P2P TCP NAT traversal
    ... I'm working on implementing a TCP NAT traversal scheme for a P2P ... port they are listening on, ... but this is transient - only one of the two sockets at each end ...
    (Linux-Kernel)
  • Re: Reliability of Java, sockets and TCP transmissions
    ... using Socket, ServerSocket and TCP. ... this connection/protocol combination is in terms of transmission errors. ... So just how reliable are TCP and Java sockets over the actual internet? ...
    (comp.lang.java.programmer)
  • RE: UDP over Bluetooth
    ... So maybe sockets accessing Bluetooth ... top of TCP? ... TCP, UDP is simpler, faster and cheaper than TCP. ...
    (microsoft.public.win32.programmer.networks)