Bug 21742
| Summary: | 'ipfw add' does not check the protocol name | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Bernd Luevelsmeyer <bdluevel> |
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.1.1-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
State Changed From-To: open->closed Fixed in src/sbin/ipfw/ipfw.c, revisions 1.93 (5.0-CURRENT) and 1.80.2.5 (4.1.1-STABLE). |
If you add a IPFW rule to pass TCP traffic to port 'echo', then port 4 will be allowed instead of port 7; apparently, because there's an 'echo' with port 4 in /etc/services. That's only protocol 'ddp' though, hence I assume 'ipfw add' does not check the protocol if looking up port names. Fix: Workaround: use port numbers only when specifying firewall rules, not port names. How-To-Repeat: #ipfw list 00100 allow ip from any to any 65535 deny ip from any to any #ipfw add pass tcp from any to any echo 00000 allow tcp from any to any 4 #ipfw list 00100 allow ip from any to any 00200 allow tcp from any to any 4 65535 deny ip from any to any #grep echo /etc/services echo 4/ddp #AppleTalk Echo Protocol echo 7/tcp echo 7/udp at-echo 204/tcp #AppleTalk Echo at-echo 204/udp #AppleTalk Echo