Date: Wed, 14 Mar 2001 23:43:17 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Udo Erdelhoff <ue@nathan.ruhr.de> Cc: security@FreeBSD.ORG Subject: Re: ipfw rule -1? Message-ID: <20010314234317.F496@cjc-desktop.users.reflexcom.com> In-Reply-To: <20010314220613.L83336@nathan.ruhr.de>; from ue@nathan.ruhr.de on Wed, Mar 14, 2001 at 10:06:14PM %2B0100 References: <20010313084020.A5859@agora.rdrop.com> <20010313232014.B496@cjc-desktop.users.reflexcom.com> <20010314220613.L83336@nathan.ruhr.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 14, 2001 at 10:06:14PM +0100, Udo Erdelhoff wrote: > On Tue, Mar 13, 2001 at 11:20:14PM -0800, Crist J. Clark wrote: > > Rule -1 is given for any packet dropped, but not dropped due to a user > > rule or the default rule. A quick look at the souce indicates the > > above pseudo-rule and some other fragment issues (bogusfrag) are the > > only such situations. > > Hmm, I have the following setup: A -current box mounts /usr/src5 and > /usr/obj5 via NFS from a RELENG_4 box. Doing "make installworld" fails > as soon there's a fragmented NFS packet - the fragments are dropped > by rule -1. The only time UDP packets would be dropped is when a m_pullup() call fails. I am not sure what that implies, but it does not sound good. I don't think that should be failing. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010314234317.F496>