Date: Mon, 21 May 2001 12:41:52 +0000 (GMT) From: diman <diman@asd-g.com> To: Lowell Gilbert <lowell@world.std.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW Rule -1 Always = Attack? Message-ID: <Pine.BSF.4.21.0105211239160.199-100000@portal.none.ua> In-Reply-To: <44y9rtf9ox.fsf@lowellg.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19 May 2001, Lowell Gilbert wrote: > dwplists@loop.com (D. W. Piper) writes: > > > If I understand things correctly from the archives and the IPFW man > > page, IPFW rule -1 is built into the firewall, and only applies to > > rejecting IP fragments with a fragment offset of one. The man page > > further states, "This is a valid packet, but it only has one use, to try > > to circumvent firewalls." > > > > Does that mean that every packet dropped by rule -1 indicates a > > deliberate attempt to circumvent the firewall, and should be reported to > > the appropriate network administrator for the source IP address? > > It's *possible* that the rule could be triggered by something that > wasn't an attack. Thinking about it briefly, it seems slightly more > likely that it's part of a probe, rather than an actual attack > However, reporting to the network administrator for that address is > almost certainly useless in any case, because an attacker would > probably have spoofed that address anyway. [An attacker wouldn't ever > get any response from that packet in any case.] Attacker can get answer from a destination host. It's a ipfw between if he willn't. Easy rule :) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105211239160.199-100000>