Date: Tue, 9 Jan 2001 08:30:19 +1300 From: Jonathan Chen <jonathan.chen@itouch.co.nz> To: Vivek Khera <khera@kciLink.com> Cc: questions@FreeBSD.ORG Subject: Re: ipfw fragments and connections to port 0 Message-ID: <20010109083019.B14318@itouchnz.itouch> In-Reply-To: <14938.97.366645.802181@onceler.kciLink.com>; from khera@kciLink.com on Mon, Jan 08, 2001 at 01:01:05PM -0500 References: <14938.97.366645.802181@onceler.kciLink.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 08, 2001 at 01:01:05PM -0500, Vivek Khera wrote:
> Every so often, I see something like this in my log files from ipfw:
>
> ipfw: -1 Refuse TCP 63.252.242.78:0 204.117.82.12:0 in via fxp0
>
> >From what I understand, this is a connection to port 0, but I'm not
> sure what that means, since port numbers start at 1. Is this some
> sort of attack or other kind of scan going on?
>
> Also, occasionally I see this:
>
> ipfw: -1 Refuse TCP 24.0.95.136 204.117.82.12 in via fxp0 Fragment = 184
>
IIRC, this is generated by the rule that discards IP fragments with a
fragment offset of one. From the ipfw(8) manual:
[...]
FINE POINTS
There is one kind of packet that the firewall will always discard, that
is an IP fragment with a fragment offset of one. This is a valid packet,
but it only has one use, to try to circumvent firewalls.
Hope this helps.
--
Jonathan Chen | To do is to be -- Nietzsche
<jonathan.chen@itouch.co.nz> | To be is to do -- Sartre
| Scooby do be do -- Scooby
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010109083019.B14318>