Date: Wed, 4 Nov 1998 12:48:42 -0500 (EST) From: David Gilbert <dgilbert@velocet.net> To: Open Systems Networking <opsys@mail.webspan.net> Cc: freebsd-security@FreeBSD.ORG Subject: Amazing wonder packet sneaks by deny all rule? Message-ID: <13888.37754.189607.428001@trooper.velocet.ca> In-Reply-To: <Pine.BSF.4.02.9811040815360.4966-100000@orion.webspan.net> References: <Pine.BSF.4.02.9811040815360.4966-100000@orion.webspan.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Open" == Open Systems Networking <opsys@mail.webspan.net> writes: Open> It's really late/early this morning and I was just checking the Open> rule set on a clients machine I just built. When I saw this: Open> 65534 195 14104 deny log ip from any to any Open> 65535 1 76 deny ip from any to any Open> Now maybe it's my lack of sleep but how did that amazing wonder Open> packet on rule 65535 sneak by 65534 :-) A fluke? A 1 in a Open> million chance? A posessed packet? This isn't exactly the kind Open> of thing that instills confidence in ones choice of firewall Open> software :-) It's ipfw BTW if you cant tell from the syntax, not Open> ipfilter. I have NEVER seen this happen before, so im guessing Open> it's just a freak accident. But it is curious nonetheless. Actually, it was likely a packet that occured between the 'ipfw flush' and the subsequent 'ipfw add 65534' line. I see this all the time on our busier firewalls. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13888.37754.189607.428001>