From owner-freebsd-security  Wed Nov  4 09:24:04 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA27648
          for freebsd-security-outgoing; Wed, 4 Nov 1998 09:24:04 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27570
          for <freebsd-security@FreeBSD.ORG>; Wed, 4 Nov 1998 09:24:01 -0800 (PST)
          (envelope-from nash@Mars.mcs.net)
Received: from Mars.mcs.net (nash@Mars.mcs.net [192.160.127.85]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id LAA20364; Wed, 4 Nov 1998 11:23:52 -0600 (CST)
Received: (from nash@localhost) by Mars.mcs.net (8.8.7/8.8.2) id LAA06071; Wed, 4 Nov 1998 11:23:52 -0600 (CST)
Message-ID: <19981104112352.B4776@mcs.net>
Date: Wed, 4 Nov 1998 11:23:52 -0600
From: Alex Nash <nash@mcs.net>
To: Open Systems Networking <opsys@mail.webspan.net>,
        freebsd-security@FreeBSD.ORG
Subject: Re: Amazing wonder packet sneaks by deny all rule?
Mail-Followup-To: Open Systems Networking <opsys@mail.webspan.net>,
	freebsd-security@FreeBSD.ORG
References: <Pine.BSF.4.02.9811040815360.4966-100000@orion.webspan.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <Pine.BSF.4.02.9811040815360.4966-100000@orion.webspan.net>; from Open Systems Networking on Wed, Nov 04, 1998 at 08:28:08AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Nov 04, 1998 at 08:28:08AM -0500, Open Systems Networking wrote:
> 
> It's really late/early this morning and I was just checking the rule set
> on a clients machine I just built. When I saw this:
> 
> 65534        195      14104 deny log ip from any to any
> 65535          1         76 deny ip from any to any
> 
> Now maybe it's my lack of sleep but how did that amazing wonder packet
> on rule 65535 sneak by 65534 :-) A fluke? A 1 in a million chance?

As others have already pointed out, this packet was probably sent before
rule 65534 was configured.  To verify this, run ipfw -t l to check the
timestamp on rule 65535...my guess is it will be equivalent to either
your time of last boot (sysctl kern.boottime), or whenever you last
reloaded your ruleset.

Alex

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message