Date: Tue, 13 Mar 2001 23:20:14 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Alan Batie <alan@batie.org> Cc: security@FreeBSD.ORG Subject: Re: ipfw rule -1? Message-ID: <20010313232014.B496@cjc-desktop.users.reflexcom.com> In-Reply-To: <20010313084020.A5859@agora.rdrop.com>; from alan@batie.org on Tue, Mar 13, 2001 at 08:40:20AM -0800 References: <20010313084020.A5859@agora.rdrop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote: > I'm seeing a few of these in my ipfw log and was wondering what rule -1 is? > I couldn't find anything about it in the man page... > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 The manpage does not go as far as to indicate that this is rule -1, but it does say this happens, FINE POINTS o There is one kind of packet that the firewall will always discard, that is a TCP packet's fragment with a fragment offset of one. This is a valid packet, but it only has one use, to try to circumvent firewalls. Rule -1 is given for any packet dropped, but not dropped due to a user rule or the default rule. A quick look at the souce indicates the above pseudo-rule and some other fragment issues (bogusfrag) are the only such situations. OK, I've answered this one enough times now. Should I send in a PR with patch to the manpage or is this for the FAQ? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010313232014.B496>