From owner-freebsd-questions@FreeBSD.ORG Tue May 18 20:26:09 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 189A916A4CE for ; Tue, 18 May 2004 20:26:09 -0700 (PDT) Received: from pandora.otenet.gr (pandora.otenet.gr [195.170.0.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B26643D53 for ; Tue, 18 May 2004 20:26:06 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from thalia.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by pandora.otenet.gr (8.12.10/8.12.10) with ESMTP id i4INUvYL025734 for ; Wed, 19 May 2004 02:30:57 +0300 (EEST) Received: from gothmog.gr (patr530-a174.otenet.gr [212.205.215.174]) by thalia.otenet.gr (8.12.10/8.12.10) with ESMTP id i4INTo6T008904; Wed, 19 May 2004 02:29:58 +0300 (EEST) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.11/8.12.11) with ESMTP id i4INTiUs006506; Wed, 19 May 2004 02:29:44 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.11/8.12.11/Submit) id i4ILG16j005736; Wed, 19 May 2004 00:16:01 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 19 May 2004 00:16:01 +0300 From: Giorgos Keramidas To: Norberto Meijome Message-ID: <20040518211601.GD4714@gothmog.gr> References: <40AA08CB.3070605@meijome.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40AA08CB.3070605@meijome.net> cc: freebsd-questions@freebsd.org Subject: Re: ipf log line X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2004 03:26:09 -0000 On 2004-05-18 22:59, Norberto Meijome wrote: > I saw this in my ipf.log (using ipfmon): > > 18/05/2004 15:57:21.092537 fxp0 @25:1 S w.x.y.z -> a.b.c.d PR tcp len 20 (40) frag 20@8 IN > > where : > - fpx0 is my interface connected to the outside world > - w.x.y.z is an IP not related to any system under our control > - a.b.c.d is the public IP used for NATed traffic from our LAN. > - @25:1 is : @1 block in log quick from any to any with short group 25 > > Does the "S" after @25:1 mean it was a packet too short to be a proper > tcp packet? The packet has the TCP SYN flag bit set (non-zero). > What does the frag 20@8 mean? IIRC, these are the length and starting offset, respectively, of the blocked fragment within the full IP packet. - Giorgos