From owner-freebsd-security  Fri Jun 16 14:51:24 2000
Delivered-To: freebsd-security@freebsd.org
Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2FC8E37B722; Fri, 16 Jun 2000 14:51:20 -0700 (PDT)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12])
	by Awfulhak.org (8.9.3/8.9.3) with ESMTP id WAA08618;
	Fri, 16 Jun 2000 22:48:07 +0100 (BST)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id WAA02840;
	Fri, 16 Jun 2000 22:48:04 +0100 (BST)
	(envelope-from brian@Awfulhak.org)
Message-Id: <200006162148.WAA02840@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.1.1 10/15/1999
To: Chris Dillon <cdillon@wolves.k12.mo.us>
Cc: Mike Tancsa <mike@sentex.ca>, Ian Smith <smithi@nimnet.asn.au>,
	freebsd-security@FreeBSD.org, brian@hak.lan.awfulhak.org,
	luigi@FreeBSD.org
Subject: Re: ipfw log entry 
In-Reply-To: Message from Chris Dillon <cdillon@wolves.k12.mo.us> 
   of "Fri, 16 Jun 2000 16:16:08 CDT." <Pine.BSF.4.20.0006161609060.46720-100000@mail.wolves.k12.mo.us> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 16 Jun 2000 22:48:02 +0100
From: Brian Somers <brian@Awfulhak.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> On Fri, 16 Jun 2000, Mike Tancsa wrote:
> 
> > At 05:14 AM 6/17/00 +1000, Ian Smith wrote:
> > >As I mentioned to John, this host is res6.geocities.com.  We see these
> > >here usually in big batches, perhaps about once a month on average, eg: 
> > >
> > >May 22 18:14:39 gaia /kernel:
> > > ipfw: 65000 Count TCP 209.1.224.16 203.41.52.xxx in via tun0 Fragment = 147
> > 
> > I thought I recognized that IP address...
> > 
> > ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147
> > ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147
> > 
> > Sheesh! We lots of this in our logs as well.
> 
> Ditto.  I get these quite often.
> 
> ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147
> ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147
> ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147
> 
> Anyone figured out what/who this is yet?

It's a problem in the firewall code - I think because of assumptions 
about minimum lengths of packets.  I didn't figure this out, but I 
talked to luigi@ about it a couple of weeks ago.

> -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net
>    FreeBSD: The fastest and most stable server OS on the planet.
>    For Intel x86 and Alpha architectures. ( http://www.freebsd.org )

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message