From owner-freebsd-security Tue Mar 13 23:20:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 07D6137B71B for ; Tue, 13 Mar 2001 23:20:17 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 13 Mar 2001 23:18:15 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2E7KFh11046; Tue, 13 Mar 2001 23:20:15 -0800 (PST) (envelope-from cjc) Date: Tue, 13 Mar 2001 23:20:14 -0800 From: "Crist J. Clark" To: Alan Batie Cc: security@FreeBSD.ORG Subject: Re: ipfw rule -1? Message-ID: <20010313232014.B496@cjc-desktop.users.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20010313084020.A5859@agora.rdrop.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010313084020.A5859@agora.rdrop.com>; from alan@batie.org on Tue, Mar 13, 2001 at 08:40:20AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote: > I'm seeing a few of these in my ipfw log and was wondering what rule -1 is? > I couldn't find anything about it in the man page... > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 The manpage does not go as far as to indicate that this is rule -1, but it does say this happens, FINE POINTS o There is one kind of packet that the firewall will always discard, that is a TCP packet's fragment with a fragment offset of one. This is a valid packet, but it only has one use, to try to circumvent firewalls. Rule -1 is given for any packet dropped, but not dropped due to a user rule or the default rule. A quick look at the souce indicates the above pseudo-rule and some other fragment issues (bogusfrag) are the only such situations. OK, I've answered this one enough times now. Should I send in a PR with patch to the manpage or is this for the FAQ? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message