From owner-freebsd-security  Mon Jan 11 03:29:24 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA19014
          for freebsd-security-outgoing; Mon, 11 Jan 1999 03:29:24 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from enya.clari.net.au (enya.clari.net.au [203.8.14.116])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA19008
          for <freebsd-security@FreeBSD.ORG>; Mon, 11 Jan 1999 03:29:20 -0800 (PST)
          (envelope-from danny@enya.clari.net.au)
Received: from localhost (danny@localhost)
	by enya.clari.net.au (8.8.8/8.8.7) with SMTP id WAA23282;
	Mon, 11 Jan 1999 22:28:37 +1100 (EST)
	(envelope-from danny@enya.clari.net.au)
Date: Mon, 11 Jan 1999 22:28:37 +1100 (EST)
From: "Daniel O'Callaghan" <danny@hilink.com.au>
To: "N. N.M" <madrapour@hotmail.com>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: Need help with IPFW 
In-Reply-To: <19990111071915.19303.qmail@hotmail.com>
Message-ID: <Pine.BSF.3.96.990111222120.21260A-100000@enya.clari.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Sun, 10 Jan 1999, N. N.M wrote:

> Is there anybody around who knows what the following log (related to 
> ipfw) means:
> 
> ipfw -1 Refuse TCP X.X.X.X:80 Y.Y.Y.Y:2047 in via ed1 
> 
> or this one
> 
> ipfw -1 Refuse TCP X.X.X.X Y.Y.Y.Y in via edi Fragment=1

This one is covered by the man page.  *All* tcp packets with Fragment
offset=1 are rejected because they are only used to circumvent firewalls.

The first packet was probably the first packet in the attack, and had
something odd about it which caused the ip_fw code to refuse it as a bogus
fragment.

Danny


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message