Bug 49959

Summary: ipfw tee port rule skips parsing next rules
Product: Base System Reporter: Mikhalych <root>
Component: binAssignee: Andre Oppermann <andre>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.7-RELEASE   
Hardware: Any   
OS: Any   

Description Mikhalych 2003-03-12 14:00:17 UTC 
For a traffic count I can copy all packets coming to my network interface xl0 with `ipfw tee` option to some port, for example 8888, after this rule all this packets must be pass next ipfw rules (like `ipfw count` option).

Problem: `ipfw tee port` option brakes this order, packets is marked as accepted by rule (like `ipfw allow` option).

Example:

00001 143 22387 tee 8888 ip from any to any in recv xl0
00002 120 30373 tee 8888 ip from any to any out xmit xl0
00100   0     0 allow tcp from 212.107.192.0/19 to 212.107.200.82 22
00110   0     0 allow tcp from 212.107.200.82 22 to 212.107.192.0/19
00200   0     0 reset tcp from any to 212.107.200.82 22
00300   0     0 reset tcp from any to 212.107.200.80/28 113
00500   0     0 reset tcp from any to 212.107.200.82 3306
00501   0     0 reset tcp from any to 212.107.200.83 3306
65535 258 35124 allow ip from any to any

Telnet to denied 22, 113, 3306 ports is acceptable!
Using ipfw tee is unsecure :(

Fix: 

Add reset/deny rules BEFORE tee option, but this dropped packets will be lost for accounting/copy by tee.
How-To-Repeat: You can try add `tee port` option before any of your rules.
Comment 1 Johan Karlsson freebsd_committer freebsd_triage 2003-05-06 21:42:48 UTC 
Responsible Changed
From-To: freebsd-bugs->ipfw

Over to maintainer group.
Comment 2 Andre Oppermann freebsd_committer freebsd_triage 2004-08-24 20:02:55 UTC 
Responsible Changed
From-To: ipfw->andre

Take over.
Comment 3 Andre Oppermann freebsd_committer freebsd_triage 2004-08-27 20:47:29 UTC 
State Changed
From-To: open->suspended

See kern/64240 for a solution for FreeBSD -current and 5.3-BETA1. 

FreeBSD 4.x will not be fixed due to complexity.  -current and 5.3 
have a rewritten ipfw attachment which makes fixing this relatively 
easy.
Comment 4 Andre Oppermann freebsd_committer freebsd_triage 2004-08-27 20:49:36 UTC 
State Changed
From-To: suspended->closed

Close PR.  Mail to Originator bounces with invalid mailbox.