Index: HISTORY =================================================================== RCS file: /devel/CVS/IP-Filter/HISTORY,v retrieving revision 2.0.2.47.2.9 retrieving revision 2.0.2.47.2.10 diff -c -r2.0.2.47.2.9 -r2.0.2.47.2.10 *** 2.0.2.47.2.9 1998/05/08 15:14:29 --- 2.0.2.47.2.10 1998/05/18 12:29:43 *************** *** 12,17 **** --- 12,23 ---- # and especially those who have found the time to port IP Filter to new # platforms. + 3.2.6 18/05/98 - Released + + fix potential security loop hole in keep state code. + + update examples. + 3.2.5 09/05/98 - Released BSD/OS 3.1 .o files added for the kernel. Index: Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/Makefile,v retrieving revision 2.0.2.26.2.7 retrieving revision 2.0.2.26.2.8 diff -c -r2.0.2.26.2.7 -r2.0.2.26.2.8 *** 2.0.2.26.2.7 1998/04/08 14:09:39 --- 2.0.2.26.2.8 1998/05/18 11:14:08 *************** *** 5,11 **** # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.0.2.26.2.7 1998/04/08 14:09:39 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin --- 5,11 ---- # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.0.2.26.2.8 1998/05/18 11:14:08 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin *************** *** 88,94 **** --- 88,98 ---- make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" -rm -f BSD/$(CPUDIR)/ioconf.h @if [ -n $(IPFILKERN) ] ; then \ + if [ -f /sys/$(IPFILKERN)/compile/ioconf.h ] ; then \ + ln -s /sys/$(IPFILKERN)/compile/ioconf.h BSD/$(CPUDIR); \ + else \ ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \ + fi \ elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \ echo -n "Can't find ioconf.h in "; \ echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \ Index: ip_proxy.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_proxy.c,v retrieving revision 2.0.2.11.2.6 retrieving revision 2.0.2.11.2.7 diff -c -r2.0.2.11.2.6 -r2.0.2.11.2.7 *** 2.0.2.11.2.6 1997/11/28 00:41:25 --- 2.0.2.11.2.7 1998/05/18 11:15:22 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.6 1997/11/28 00:41:25 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15:22 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 111,125 **** } static ap_session_t *ap_find(ip, tcp) ip_t *ip; tcphdr_t *tcp; { - struct in_addr src, dst; - register u_long hv; - register u_short sp, dp; - register ap_session_t *aps; register u_char p = ip->ip_p; src = ip->ip_src, dst = ip->ip_dst; sp = dp = 0; /* XXX gcc -Wunitialized */ --- 111,147 ---- } + static int + ap_matchsrcdst(aps, src, dst, tcp, sport, dport) + ap_session_t *aps; + struct in_addr src, dst; + void *tcp; + u_short sport, dport; + { + if (aps->aps_dst.s_addr == dst.s_addr) { + if ((aps->aps_src.s_addr == src.s_addr) && + (!tcp || (sport == aps->aps_sport) && + (dport == aps->aps_dport))) + return 1; + } else if (aps->aps_dst.s_addr == src.s_addr) { + if ((aps->aps_src.s_addr == dst.s_addr) && + (!tcp || (sport == aps->aps_dport) && + (dport == aps->aps_sport))) + return 1; + } + return 0; + } + + static ap_session_t *ap_find(ip, tcp) ip_t *ip; tcphdr_t *tcp; { register u_char p = ip->ip_p; + register ap_session_t *aps; + register u_short sp, dp; + register u_long hv; + struct in_addr src, dst; src = ip->ip_src, dst = ip->ip_dst; sp = dp = 0; /* XXX gcc -Wunitialized */ *************** *** 136,149 **** for (aps = ap_sess_tab[hv]; aps; aps = aps->aps_next) if ((aps->aps_p == p) && ! IPPAIR(aps->aps_src, aps->aps_dst, src, dst)) { ! if (tcp) { ! if (PAIRS(aps->aps_sport, aps->aps_dport, ! sp, dp)) ! break; ! } else ! break; ! } return aps; } --- 158,165 ---- for (aps = ap_sess_tab[hv]; aps; aps = aps->aps_next) if ((aps->aps_p == p) && ! ap_matchsrcdst(aps, src, dst, tcp, sp, dp)) ! break; return aps; } Index: ip_state.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_state.c,v retrieving revision 2.0.2.24.2.6 retrieving revision 2.0.2.24.2.9 diff -c -r2.0.2.24.2.6 -r2.0.2.24.2.9 *** 2.0.2.24.2.6 1998/04/25 15:49:18 --- 2.0.2.24.2.9 1998/05/18 12:29:45 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.6 1998/04/25 15:49:18 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.9 1998/05/18 12:29:45 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) *************** *** 237,243 **** switch (ic->icmp_type) { case ICMP_ECHO : ! is->is_icmp.ics_type = 0; hv += (is->is_icmp.ics_id = ic->icmp_id); hv += (is->is_icmp.ics_seq = ic->icmp_seq); break; --- 237,243 ---- switch (ic->icmp_type) { case ICMP_ECHO : ! is->is_icmp.ics_type = ICMP_ECHOREPLY; /* XXX */ hv += (is->is_icmp.ics_id = ic->icmp_id); hv += (is->is_icmp.ics_seq = ic->icmp_seq); break; *************** *** 306,311 **** --- 306,313 ---- is->is_pass = pass; is->is_pkts = 1; is->is_bytes = ip->ip_len; + is->is_ifp1 = fin->fin_ifp; + is->is_ifp2 = NULL; if (pass & FR_LOGFIRST) is->is_pass &= ~(FR_LOGFIRST|FR_LOG); ips_num++; *************** *** 409,414 **** --- 411,449 ---- } + static int + fr_matchsrcdst(is, src, dst, ifp, tcp, sp, dp) + ipstate_t *is; + struct in_addr src, dst; + void *ifp, *tcp; + u_short sp, dp; + { + int ret = 0, rev; + + rev = (is->is_dst.s_addr != dst.s_addr); + + if (!rev) { + if ((is->is_ifp1 == ifp) && + (is->is_dst.s_addr == dst.s_addr) && + (is->is_src.s_addr == src.s_addr) && + (!tcp || (sp == is->is_sport) && (dp == is->is_dport))) { + ret = 1; + } + } else { + if (((is->is_ifp2 == ifp) || !is->is_ifp2) && + (is->is_dst.s_addr == src.s_addr) && + (is->is_src.s_addr == dst.s_addr) && + (!tcp || (sp == is->is_dport) && + (dp == is->is_sport))) { + if (!is->is_ifp2) + is->is_ifp2 = ifp; + ret = 1; + } + } + return ret; + } + + /* * Check if a packet has a registered state. */ *************** *** 421,427 **** register u_char pr; struct icmp *ic; tcphdr_t *tcp; ! u_int hv, hlen, pass; if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) return 0; --- 456,462 ---- register u_char pr; struct icmp *ic; tcphdr_t *tcp; ! u_int hv, hlen, pass, fwd; if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) return 0; *************** *** 447,460 **** if ((is->is_p == pr) && (ic->icmp_id == is->is_icmp.ics_id) && (ic->icmp_seq == is->is_icmp.ics_seq) && ! IPPAIR(src, dst, is->is_src, is->is_dst)) { ! /* ! * If we have type 0 stored, allow any icmp ! * replies through. ! */ ! if (is->is_icmp.ics_type && ! is->is_icmp.ics_type != ic->icmp_type) continue; is->is_age = fr_icmptimeout; is->is_pkts++; is->is_bytes += ip->ip_len; --- 482,497 ---- if ((is->is_p == pr) && (ic->icmp_id == is->is_icmp.ics_id) && (ic->icmp_seq == is->is_icmp.ics_seq) && ! fr_matchsrcdst(is, src, dst, fin->fin_ifp, ! NULL, 0, 0)) { ! if (is->is_icmp.ics_type != ic->icmp_type) continue; + if (!fwd) { + if (!is->is_ifp2) + is->is_ifp2 = fin->fin_ifp; + else if (is->is_ifp2 != fin->fin_ifp) + continue; + } is->is_age = fr_icmptimeout; is->is_pkts++; is->is_bytes += ip->ip_len; *************** *** 473,482 **** hv += sport; hv %= IPSTATE_SIZE; MUTEX_ENTER(&ipf_state); ! for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) { if ((is->is_p == pr) && ! PAIRS(sport, dport, is->is_sport, is->is_dport) && ! IPPAIR(src, dst, is->is_src, is->is_dst)) if (fr_tcpstate(is, fin, ip, tcp, sport)) { pass = is->is_pass; #ifdef _KERNEL --- 510,525 ---- hv += sport; hv %= IPSTATE_SIZE; MUTEX_ENTER(&ipf_state); ! for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && ! fr_matchsrcdst(is, src, dst, fin->fin_ifp, ! tcp, sport, dport)) { ! if (!fwd) { ! if (!is->is_ifp2) ! is->is_ifp2 = fin->fin_ifp; ! else if (is->is_ifp2 != fin->fin_ifp) ! continue; ! } if (fr_tcpstate(is, fin, ip, tcp, sport)) { pass = is->is_pass; #ifdef _KERNEL *************** *** 491,497 **** #endif return pass; } ! } MUTEX_EXIT(&ipf_state); break; } --- 534,540 ---- #endif return pass; } ! } MUTEX_EXIT(&ipf_state); break; } *************** *** 508,515 **** MUTEX_ENTER(&ipf_state); for (is = ips_table[hv]; is; is = is->is_next) if ((is->is_p == pr) && ! PAIRS(sport, dport, is->is_sport, is->is_dport) && ! IPPAIR(src, dst, is->is_src, is->is_dst)) { ips_stats.iss_hits++; is->is_pkts++; is->is_bytes += ip->ip_len; --- 551,564 ---- MUTEX_ENTER(&ipf_state); for (is = ips_table[hv]; is; is = is->is_next) if ((is->is_p == pr) && ! fr_matchsrcdst(is, src, dst, fin->fin_ifp, ! tcp, sport, dport)) { ! if (!fwd) { ! if (!is->is_ifp2) ! is->is_ifp2 = fin->fin_ifp; ! else if (is->is_ifp2 != fin->fin_ifp) ! continue; ! } ips_stats.iss_hits++; is->is_pkts++; is->is_bytes += ip->ip_len; Index: ip_state.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_state.h,v retrieving revision 2.0.2.14.2.1 retrieving revision 2.0.2.14.2.2 diff -c -r2.0.2.14.2.1 -r2.0.2.14.2.2 *** 2.0.2.14.2.1 1997/11/06 21:23:15 --- 2.0.2.14.2.2 1998/05/18 11:15:24 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.0.2.14.2.1 1997/11/06 21:23:15 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.0.2.14.2.2 1998/05/18 11:15:24 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 47,52 **** --- 47,54 ---- u_int is_pass; U_QUAD_T is_pkts; U_QUAD_T is_bytes; + void *is_ifp1; + void *is_ifp2; struct in_addr is_src; struct in_addr is_dst; u_char is_p; Index: ipl.h =================================================================== RCS file: /devel/CVS/IP-Filter/ipl.h,v retrieving revision 2.0.2.23.2.4 retrieving revision 2.0.2.23.2.5 diff -c -r2.0.2.23.2.4 -r2.0.2.23.2.5 *** 2.0.2.23.2.4 1998/05/08 15:09:27 --- 2.0.2.23.2.5 1998/05/18 12:29:46 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.5" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.6" #endif Index: SunOS5/Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/Makefile,v retrieving revision 2.0.2.13.2.5 retrieving revision 2.0.2.13.2.6 diff -c -r2.0.2.13.2.5 -r2.0.2.13.2.6 *** 2.0.2.13.2.5 1998/04/11 02:58:48 --- 2.0.2.13.2.6 1998/05/14 14:01:03 *************** *** 96,102 **** $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h ! $(CC) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/snoop.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ --- 96,102 ---- $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h ! $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/snoop.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ Index: SunOS5/pkginfo =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/pkginfo,v retrieving revision 2.0.2.22.2.5 retrieving revision 2.0.2.22.2.6 diff -c -r2.0.2.22.2.5 -r2.0.2.22.2.6 *** 2.0.2.22.2.5 1998/05/08 15:09:42 --- 2.0.2.22.2.6 1998/05/18 12:36:15 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=5 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=6 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed Index: ipsend/ipsend.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipsend/ipsend.c,v retrieving revision 2.0.2.19 retrieving revision 2.0.2.19.2.1 diff -c -r2.0.2.19 -r2.0.2.19.2.1 *** 2.0.2.19 1997/10/12 09:48:38 --- 2.0.2.19.2.1 1998/05/14 14:01:19 *************** *** 12,18 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19 1997/10/12 09:48:38 darrenr Exp $"; #endif #include #include --- 12,18 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19.2.1 1998/05/14 14:01:19 darrenr Exp $"; #endif #include #include *************** *** 357,363 **** } if (ip->ip_p == IPPROTO_TCP) ! for (s = argv[optind]; (c = *s); s++) switch(c) { case 'S' : case 's' : --- 357,363 ---- } if (ip->ip_p == IPPROTO_TCP) ! for (s = argv[optind]; s && (c = *s); s++) switch(c) { case 'S' : case 's' : Index: rules/BASIC_1.FW =================================================================== RCS file: /devel/CVS/IP-Filter/rules/BASIC_1.FW,v retrieving revision 2.0.2.3.2.1 retrieving revision 2.0.2.3.2.2 diff -c -r2.0.2.3.2.1 -r2.0.2.3.2.2 *** 2.0.2.3.2.1 1997/11/12 11:45:20 --- 2.0.2.3.2.2 1998/05/18 11:13:48 *************** *** 48,54 **** # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 ! block in log quick from 172.16.0.0/16 to any group 100 # # Prevent IP spoofing. # --- 48,54 ---- # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 ! block in log quick from 172.16.0.0/12 to any group 100 # # Prevent IP spoofing. # Index: rules/BASIC_2.FW =================================================================== RCS file: /devel/CVS/IP-Filter/rules/BASIC_2.FW,v retrieving revision 2.0.2.1.2.1 retrieving revision 2.0.2.1.2.2 diff -c -r2.0.2.1.2.1 -r2.0.2.1.2.2 *** 2.0.2.1.2.1 1997/11/12 11:45:21 --- 2.0.2.1.2.2 1998/05/18 11:13:49 *************** *** 33,39 **** # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 ! block in log quick from 172.16.0.0/16 to any group 100 # # Prevent IP spoofing. # --- 33,39 ---- # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 ! block in log quick from 172.16.0.0/12 to any group 100 # # Prevent IP spoofing. # Index: test/input/11 =================================================================== RCS file: /devel/CVS/IP-Filter/test/input/11,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.1 diff -c -r2.0.2.1 -r2.0.2.1.2.1 *** 2.0.2.1 1997/01/12 08:48:48 --- 2.0.2.1.2.1 1998/05/18 12:18:59 *************** *** 1,11 **** ! in tcp 1.1.1.1,1 2.1.2.2,23 S ! in tcp 1.1.1.1,1 2.1.2.2,23 A ! in tcp 2.1.2.2,23 1.1.1.1,1 A ! in tcp 1.1.1.1,1 2.1.2.2,23 F ! in tcp 1.1.1.1,1 2.1.2.2,23 A ! in tcp 1.1.1.1,2 2.1.2.2,23 A ! in udp 1.1.1.1,1 4.4.4.4,53 ! in udp 2.2.2.2,2 4.4.4.4,53 ! in udp 4.4.4.4,53 1.1.1.1,1 ! in udp 4.4.4.4,1023 1.1.1.1,2049 ! in udp 4.4.4.4,2049 1.1.1.1,1023 --- 1,11 ---- ! in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S ! in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A ! in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A ! in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F ! in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A ! in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A ! in on e1 udp 1.1.1.1,1 4.4.4.4,53 ! in on e1 udp 2.2.2.2,2 4.4.4.4,53 ! in on e0 udp 4.4.4.4,53 1.1.1.1,1 ! in on e0 udp 4.4.4.4,1023 1.1.1.1,2049 ! in on e0 udp 4.4.4.4,2049 1.1.1.1,1023