From owner-freebsd-bugs  Thu Sep  4 08:11:27 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA04194
          for bugs-outgoing; Thu, 4 Sep 1997 08:11:27 -0700 (PDT)
Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [163.195.220.170])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA04186
          for <bugs@FreeBSD.ORG>; Thu, 4 Sep 1997 08:11:21 -0700 (PDT)
Received: (from rbezuide@localhost)
	by oskar.nanoteq.co.za (8.8.7/8.8.5) id RAA11819;
	Thu, 4 Sep 1997 17:11:06 +0200 (SAT)
From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za>
Message-Id: <199709041511.RAA11819@oskar.nanoteq.co.za>
Subject: Re: Bug in IPFW code ?
In-Reply-To: <m0x6cgv-000Br6C@deadline.snafu.de> from "Andreas S. Wetzel" at "Sep 4, 97 04:15:25 pm"
To: mickey@deadline.snafu.de (Andreas S. Wetzel)
Date: Thu, 4 Sep 1997 17:11:06 +0200 (SAT)
Cc: bugs@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> 230 Deny log udp from any to 194.121.229.32/28 111 via sl0
> 
> This rule should drop udp packets to the sunrpc port coming in via interface
> sl0. But instead it seems to deny random udp traffic to my network:
> 
> Sep  4 16:13:09 gw-deadnet : /kernel: ipfw: 230 Deny UDP 130.83.22.1:17993 194.121.229.34:17732 in via sl0 Fragment = 123

Yes I also have experienced this problem, it has to do - as far as I
can recall - with the sequence of how the check is done in ip_fw.c ...

The fragments after the first one doesn't have the ports etc set any
more, but some checks are still performed and sometimes they match
and causes this to happen.

A temporary solution is to set the MTU for the slip line to 1500
(this may degrade through put if you have a shaky line - I think) but
seemed to solve the problem for now.  

You are runnng a 2.1.X releas, probably 2.1.7 right ???  I had a look
at the filtering code in 2.2 and the sequence of checks has changed
there and "should" solve this kind of problem.

Reinier Bezuidenhout

###################################################################
#							          #
#  R.N. Bezuidenhout                  NetSeq Firewall     	  #
#  rbezuide@oskar.nanoteq.co.za	      http://www.nanoteq.com      #  
#								  #
###################################################################