Date: Tue, 13 Mar 2001 23:20:14 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Alan Batie <alan@batie.org> Cc: security@FreeBSD.ORG Subject: Re: ipfw rule -1? Message-ID: <20010313232014.B496@cjc-desktop.users.reflexcom.com> In-Reply-To: <20010313084020.A5859@agora.rdrop.com>; from alan@batie.org on Tue, Mar 13, 2001 at 08:40:20AM -0800 References: <20010313084020.A5859@agora.rdrop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote:
> I'm seeing a few of these in my ipfw log and was wondering what rule -1 is?
> I couldn't find anything about it in the man page...
>
> > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16
> > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
The manpage does not go as far as to indicate that this is rule -1,
but it does say this happens,
FINE POINTS
o There is one kind of packet that the firewall will always discard,
that is a TCP packet's fragment with a fragment offset of one. This
is a valid packet, but it only has one use, to try to circumvent
firewalls.
Rule -1 is given for any packet dropped, but not dropped due to a user
rule or the default rule. A quick look at the souce indicates the
above pseudo-rule and some other fragment issues (bogusfrag) are the
only such situations.
OK, I've answered this one enough times now. Should I send in a PR
with patch to the manpage or is this for the FAQ?
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010313232014.B496>