Bug 15010

Summary: [patch] rc.firewall: "client" firewall configuration kills incoming broadcast
Product: Base System Reporter: trost <trost>
Component: confAssignee: Giorgos Keramidas <keramida>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 3.3-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description trost 1999-11-21 01:10:01 UTC 
	As provided, the "client" firewall type does not permit the
	host to receive broadcast packets from its local network.

Fix: (Just a suggestion).
	
How-To-Repeat: 
	Set the flags.  Install something that needs to receive broadcast
	(e.g., Samba's nmdb).  Watch nothing happen.
Comment 1 Johan Karlsson freebsd_committer freebsd_triage 2002-11-24 15:24:42 UTC 
State Changed
From-To: open->feedback

Is this still a problem in more recent releases, 
say for example 4.7? 

Please followup by sending a mail to  
freebsd-gnats-submit@FreeBSD.org 
with the subject of this mail intact.
Comment 2 Bill Trost 2002-11-24 19:49:08 UTC 
I'm running 4.6.2, but I'm running a hand-crafted firewall
configuration.  Reading /etc/rc.firewall, I would expect the problem to
still be there, but it probably needs to actually get tested...

Sorry I don't have better information.

Bill
Comment 3 dwmalone 2003-01-04 09:38:41 UTC 
> That was sort of my reaction, too, upon re-reading the bug report.
> It seems to me that both directions are necessary.  The nmbd needs
> to receive broadcasts from other SMB servers, as well as be able to
> transmit its own broadcasts to them.

As far as I know, the source address of a packet should never be
set to the broadcast address. The patch seems to be testing for
the source address being a broadcast, which should not happen
in normal opperation.

> In short, both the bug description and the fix are incomplete.

Was the patch you submitted one that you were actually using, or
one you extracted from our own custom rules? It doesn't make alot
of sense to me in the form it is in, but if it got confused when
transcribed from other rules that would explain it.

	David.
Comment 4 Bill Trost 2003-01-10 05:06:36 UTC 
David Malone writes:
    As far as I know, the source address of a packet should never be
    set to the broadcast address.

Based on that observation, why would you trust me to suggest
a good fix?  (-:
    
    Was the patch you submitted one that you were actually using, or
    one you extracted from our own custom rules?

The rule I'm currently using is

	ipfw add pass all from $internal_net to $internal_broadcast via de1

(de1 being the internal net interface).
Comment 5 Maxim Konovalov 2006-04-14 19:42:42 UTC 
Hi Bill,

If you still interested in the PR could you please update the patch
you want to see in FreeBSD.  The one is the PR is not correct as David
explains.  Thanks!

-- 
Maxim Konovalov
Comment 6 trost 2006-04-15 15:31:48 UTC 
Maxim Konovalov writes:
    If you still interested in the PR could you please update the patch
    you want to see in FreeBSD.  The one is the PR is not correct as
    David explains.  Thanks!

Wow, these bugs live forever....

Let's see, my suggestion included the line

  $fwcmd add pass all from 255.255.255.255 to $ip via $ip

on the theory that limited broadcast should be permitted. David correctly points
out that the broadcast address as the source is always wrong. Whoops.

OK, so what I think it really should say is

  $fwcmd add pass all from ${net}:$mask to 255.255.255.255 via $ip

Does that seem plausible?

Bill
Comment 7 Giorgos Keramidas freebsd_committer freebsd_triage 2008-06-03 13:32:59 UTC 
State Changed
From-To: feedback->analyzed

I'll handle this.  The fix seems pretty straightforward 
but it doesn't require the *removal* of any rules.  We 
can add the one rule to p ass limited broadcast packets, 
as shown at: 

http://people.freebsd.org/~keramida/diff/rc-firewall.limited-bcast.patch
Comment 8 Giorgos Keramidas freebsd_committer freebsd_triage 2008-06-03 13:32:59 UTC 
Responsible Changed
From-To: freebsd-bugs->keramida
Comment 9 dfilter service freebsd_committer freebsd_triage 2008-06-06 08:17:31 UTC 
keramida    2008-06-06 07:17:04 UTC

  FreeBSD src repository

  Modified files:
    etc                  rc.firewall 
  Log:
  SVN rev 179598 on 2008-06-06 07:17:04Z by keramida
  
  Tweak rc.firewall to allow incoming limited broadcast traffic,
  when configured to run in 'client' mode.
  
  PR:             conf/15010
  Submitted by:   Bill Trost, trost at cloud.rain.com
  Reviewed by:    bz
  MFC after:      2 weeks
  
  Revision  Changes    Path
  1.55      +3 -0      src/etc/rc.firewall
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 10 Giorgos Keramidas freebsd_committer freebsd_triage 2008-06-06 08:31:33 UTC 
State Changed
From-To: analyzed->patched

Committer a fix for this to HEAD.  I'll have to see if 
we need to also patch rc.firewall6 and then we can MFC 
to STABLE branches. 

Thanks!
Comment 11 Eitan Adler freebsd_committer freebsd_triage 2013-03-15 23:41:34 UTC 
State Changed
From-To: patched->closed

MFCed/fixed by now or it will never be MFCed