ipfw uid/gid to match listening TCP sockets?
Yar Tikhiy
yar at comp.chem.msu.su
Mon Apr 7 08:42:09 UTC 2008
Hi there,
Our ipfw currently doesn't seem to match this host's traffic by
uid/gid if the traffic goes to a listening TCP socket. E.g., if
one tries to allow passive data connections to a local anonymous
FTP server as follows, it won't work:
ipfw add 10000 allow tcp from any to me dst-port 49152-65535 uid ftp in keep-state
This behaviour is obvious from ip_fw2.c:
2009 if (proto == IPPROTO_TCP) {
2010 wildcard = 0;
2011 pi = &tcbinfo;
2012 } else if (proto == IPPROTO_UDP) {
2013 wildcard = INPLOOKUP_WILDCARD;
2014 pi = &udbinfo;
2015 } else
2016 return 0;
I.e., it is OK for UDP to match PCBs (essentially sockets) with a
wildcard foreign (remote) address, but not for TCP.
I wonder if there will be any security or whatever issues if the
wildcard flag is set for TCP, too. The only peculiarity I can see
now is that listening sockets shouldn't generate outbound traffic;
as soon a 3-way handshake starts, a separate PCB is created. Thus
a listening socket can match inbound packets only.
Are there any other points I missed? Thanks!
--
Yar
More information about the freebsd-net
mailing list