IPFW what's wrong with this rule??

[kalman84]

Hello,

I'm trying to set up a rule for denying traffic generated from a specific user on the basis of the uid.
Actually I should fwd it toward another IP but the result is the same.

I use this rule:

ipfw add 10 deny all from any to any uid $id_user

As I set up this rule the system stops responding.

What's wrong with it?

Thanks in advance!

 

[SirDice]

From ipfw(8):

Rules using uid or gid may not behave as expected. In particular, incoming SYN packets may have no uid or gid associated with them since they do not yet belong to a TCP connection, and the uid/gid associated with a packet may not be as expected if the associated process calls setuid(2) or similar system calls.

When you think about it it makes sense. An incoming connection (SYN) has no UID associated with it. There's no provision in TCP/IP that sends the UID along with the IP packet. Hence all incoming connections will be blocked by this rule.

 

[DutchDaemon]

ipfw does not have some type of synproxy construction? I use uid/gid rules in PF, and they do work (in/out).

 

[kalman84]

Ok I agree with the fact that the behavior can be unexpected, actually I need only to fwd outgoing traffic on the basis of uid... that was only an example.. But in my opinion the system shouldn't crash. I can expect it doesn't filter packets, but not crashing...

At DutchDaemon, I cannot answer, but indeed maybe I can make the same thing with PF, no? Can you suggest me a good user-guide?

 

[DutchDaemon]

pf.conf(5)
[cmd=]man pf.conf | less +/"group <group>" [/cmd]
[cmd=]man pf.conf | less +/"user <user>"[/cmd]