From owner-freebsd-security  Mon Feb  8 05:24:05 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA03927
          for freebsd-security-outgoing; Mon, 8 Feb 1999 05:24:05 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA03869
          for <security@freebsd.org>; Mon, 8 Feb 1999 05:23:56 -0800 (PST)
          (envelope-from matt@zigg.com)
Received: from localhost (matt@localhost)
	by megaweapon.zigg.com (8.9.2/8.9.2) with ESMTP id IAA02577
	for <security@freebsd.org>; Mon, 8 Feb 1999 08:23:51 -0500 (EST)
	(envelope-from matt@zigg.com)
Date: Mon, 8 Feb 1999 08:23:51 -0500 (EST)
From: Matt Behrens <matt@zigg.com>
To: security@FreeBSD.ORG
Subject: bypassing "allow ip from any to any"?
Message-ID: <Pine.BSF.4.05.9902080820170.2539-100000@megaweapon.zigg.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I rebooted one of my boxes 24 hours ago.  I run the "open" firewall
set with ppp -alias (as an on-demand packet filter, I know, I should
do better) ;) but saw something strange in last night's security
check.

Rule 65000 clearly states

	65000 allow ip from any to any

yet this came across in my logs last night:

xxx.xxx.xxx denied packets:
> 65535      2       139 deny ip from any to any

I don't see how it could, unless someone was fudging with my ipfw
config.  Or do I just not know something?  (I do run options NETATALK
here, could that somehow have snuck in?)

- Matt Behrens <matt@zigg.com>
  Network Administrator, zigg.com <http://www.zigg.com/>
  Engineer, Nameless IRC Network <http://www.nameless.net/>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message