From owner-freebsd-security Wed Mar 14 8: 6: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 9606637B718 for ; Wed, 14 Mar 2001 08:05:58 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id IAA47316; Wed, 14 Mar 2001 08:05:25 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103141605.IAA47316@gndrsh.dnsmgr.net> Subject: Re: ipfw rule -1? In-Reply-To: <20010313232014.B496@cjc-desktop.users.reflexcom.com> from "Crist J. Clark" at "Mar 13, 2001 11:20:14 pm" To: cjclark@alum.mit.edu Date: Wed, 14 Mar 2001 08:05:25 -0800 (PST) Cc: alan@batie.org (Alan Batie), security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote: > > I'm seeing a few of these in my ipfw log and was wondering what rule -1 is? > > I couldn't find anything about it in the man page... > > > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > The manpage does not go as far as to indicate that this is rule -1, > but it does say this happens, > > FINE POINTS > o There is one kind of packet that the firewall will always discard, > that is a TCP packet's fragment with a fragment offset of one. This > is a valid packet, but it only has one use, to try to circumvent > firewalls. > > Rule -1 is given for any packet dropped, but not dropped due to a user > rule or the default rule. A quick look at the souce indicates the > above pseudo-rule and some other fragment issues (bogusfrag) are the > only such situations. > > OK, I've answered this one enough times now. Should I send in a PR > with patch to the manpage or is this for the FAQ? Patch the manpage, and the FAQ. Specifically mention the rule number -1 as being a builtin unalterable set of rules, and describe exactly what those rules are. Thanks, -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message