From owner-freebsd-doc Wed Mar 14 1: 0:15 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8C7C737B71A for ; Wed, 14 Mar 2001 01:00:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2E902217966; Wed, 14 Mar 2001 01:00:02 -0800 (PST) (envelope-from gnats) Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id A789C37B718 for ; Wed, 14 Mar 2001 00:56:40 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 14 Mar 2001 00:54:38 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2E8ui814762; Wed, 14 Mar 2001 00:56:44 -0800 (PST) (envelope-from cjc) Message-Id: <200103140856.f2E8ui814762@rfx-216-196-73-168.users.reflexcom.com> Date: Wed, 14 Mar 2001 00:56:44 -0800 (PST) From: cjclark@reflexcom.com Reply-To: cjclark@alum.mit.edu To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: docs/25796: ipfw(8) manpage has no info on "Rule -1" Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 25796 >Category: docs >Synopsis: ipfw(8) manpage has no info on "Rule -1" >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 14 01:00:02 PST 2001 >Closed-Date: >Last-Modified: >Originator: Crist J. Clark >Release: FreeBSD 4.2-STABLE i386 >Organization: >Environment: FreeBSD 4-STABLE and 5-CURRENT standard docs. >Description: When logging is enabled in ipfw(8), it may report that packets were dropped by "Rule -1." From examing the code, this can occur under two conditions: (1) a call to m_pullup returns zero or (2) a TCP fragment with an offset of 1 is encountered. For the first issue, I am not enough of a kernel-mbuf guy to know exactly what the implications are. However, for the second case, there is already text in the ipfw(8) manpage spelling this out, but no reference to the fact this is reported as "Rule -1." >How-To-Repeat: Enable firewall logining and fire tiny, the smallest possible, fragments at it to see "Rule -1." Use 'man ipfw' to review the documentation. >Fix: A quick sentence in ipfw(8) should be a nice RTFM pointer since this pops up frequently on the mail lists. A simple patch, --- ipfw.8.orig Sat Feb 24 04:04:10 2001 +++ ipfw.8 Wed Mar 14 00:46:30 2001 @@ -1006,7 +1006,8 @@ discard, that is a TCP packet's fragment with a fragment offset of one. This is a valid packet, but it only has one use, to try -to circumvent firewalls. +to circumvent firewalls. When logging is enabled, these packets are +reported as being dropped by rule -1. .It If you are logged in over a network, loading the .Xr kld 4 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message