From owner-freebsd-security  Wed Mar 14 23:43:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id A3FD537B71A
	for <security@freebsd.org>; Wed, 14 Mar 2001 23:43:16 -0800 (PST)
	(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 14 Mar 2001 23:41:16 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2F7hHd24720;
	Wed, 14 Mar 2001 23:43:17 -0800 (PST)
	(envelope-from cjc)
Date: Wed, 14 Mar 2001 23:43:17 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Udo Erdelhoff <ue@nathan.ruhr.de>
Cc: security@FreeBSD.ORG
Subject: Re: ipfw rule -1?
Message-ID: <20010314234317.F496@cjc-desktop.users.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <20010313084020.A5859@agora.rdrop.com> <20010313232014.B496@cjc-desktop.users.reflexcom.com> <20010314220613.L83336@nathan.ruhr.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010314220613.L83336@nathan.ruhr.de>; from ue@nathan.ruhr.de on Wed, Mar 14, 2001 at 10:06:14PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Mar 14, 2001 at 10:06:14PM +0100, Udo Erdelhoff wrote:
> On Tue, Mar 13, 2001 at 11:20:14PM -0800, Crist J. Clark wrote:
> > Rule -1 is given for any packet dropped, but not dropped due to a user
> > rule or the default rule. A quick look at the souce indicates the
> > above pseudo-rule and some other fragment issues (bogusfrag) are the
> > only such situations. 
> 
> Hmm, I have the following setup: A -current box mounts /usr/src5 and
> /usr/obj5 via NFS from a RELENG_4 box. Doing "make installworld" fails
> as soon there's a fragmented NFS packet - the fragments are dropped
> by rule -1.

The only time UDP packets would be dropped is when a m_pullup() call
fails. I am not sure what that implies, but it does not sound good.
I don't think that should be failing.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message