From owner-freebsd-security  Wed Nov  4 09:51:41 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA01541
          for freebsd-security-outgoing; Wed, 4 Nov 1998 09:51:41 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA01518
          for <freebsd-security@FreeBSD.ORG>; Wed, 4 Nov 1998 09:51:35 -0800 (PST)
          (envelope-from dgilbert@trooper.velocet.ca)
Received: (from dgilbert@localhost)
	by trooper.velocet.ca (8.8.7/8.8.7) id MAA14723;
	Wed, 4 Nov 1998 12:48:42 -0500 (EST)
From: David Gilbert <dgilbert@velocet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <13888.37754.189607.428001@trooper.velocet.ca>
Date: Wed, 4 Nov 1998 12:48:42 -0500 (EST)
To: Open Systems Networking <opsys@mail.webspan.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Amazing wonder packet sneaks by deny all rule?
In-Reply-To: <Pine.BSF.4.02.9811040815360.4966-100000@orion.webspan.net>
References: <Pine.BSF.4.02.9811040815360.4966-100000@orion.webspan.net>
X-Mailer: VM 6.62 under Emacs 19.34.2
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>>>>> "Open" == Open Systems Networking <opsys@mail.webspan.net> writes:

Open> It's really late/early this morning and I was just checking the
Open> rule set on a clients machine I just built. When I saw this:

Open> 65534 195 14104 deny log ip from any to any 
Open> 65535 1 76 deny ip from any to any

Open> Now maybe it's my lack of sleep but how did that amazing wonder
Open> packet on rule 65535 sneak by 65534 :-) A fluke? A 1 in a
Open> million chance?  A posessed packet? This isn't exactly the kind
Open> of thing that instills confidence in ones choice of firewall
Open> software :-) It's ipfw BTW if you cant tell from the syntax, not
Open> ipfilter.  I have NEVER seen this happen before, so im guessing
Open> it's just a freak accident. But it is curious nonetheless.

Actually, it was likely a packet that occured between the 'ipfw flush'
and the subsequent 'ipfw add 65534' line.  I see this all the time on
our busier firewalls.

Dave.

-- 
============================================================================
|David Gilbert, Velocet Communications.       | Two things can only be     |
|Mail:       dgilbert@velocet.net             |  equal if and only if they |
|http://www.velocet.net/~dgilbert             |   are precisely opposite.  |
=========================================================GLO================

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message