From owner-freebsd-security  Mon May 21  4:45:27 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sivka.carrier.kiev.ua (sivka.carrier.kiev.ua [193.193.193.101])
	by hub.freebsd.org (Postfix) with ESMTP id 82F1637B42C
	for <freebsd-security@FreeBSD.ORG>; Mon, 21 May 2001 04:45:21 -0700 (PDT)
	(envelope-from diman@asd-g.com)
Received: from core.is.kiev.ua (p187.is.kiev.ua [62.244.5.187] (may be forged))
        by sivka.carrier.kiev.ua (8/Kilkenny_is_better) with ESMTP id ORK05445;
        Mon, 21 May 2001 14:45:12 +0300 (EEST)
        (envelope-from diman@asd-g.com)
Received: from [10.203.1.10] ([10.203.1.10])
	by core.is.kiev.ua (8.11.1/ASDG-2.3-NR) with ESMTP id f4LBjBM64945;
	Mon, 21 May 2001 14:45:11 +0300 (EEST)
	(envelope-from diman@asd-g.com)
Date: Mon, 21 May 2001 12:41:52 +0000 (GMT)
From: diman <diman@asd-g.com>
X-Sender: diman@portal.none.ua
To: Lowell Gilbert <lowell@world.std.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: IPFW Rule -1 Always = Attack?
In-Reply-To: <44y9rtf9ox.fsf@lowellg.ne.mediaone.net>
Message-ID: <Pine.BSF.4.21.0105211239160.199-100000@portal.none.ua>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



On 19 May 2001, Lowell Gilbert wrote:

> dwplists@loop.com (D. W. Piper) writes:
> 
> > If I understand things correctly from the archives and the IPFW man
> > page, IPFW rule -1 is built into the firewall, and only applies to
> > rejecting IP fragments with a fragment offset of one.  The man page
> > further states, "This is a valid packet, but it only has one use, to try
> > to circumvent firewalls."
> > 
> > Does that mean that every packet dropped by rule -1 indicates a
> > deliberate attempt to circumvent the firewall, and should be reported to
> > the appropriate network administrator for the source IP address?
> 
> It's *possible* that the rule could be triggered by something that
> wasn't an attack.  Thinking about it briefly, it seems slightly more
> likely that it's part of a probe, rather than an actual attack
> However, reporting to the network administrator for that address is
> almost certainly useless in any case, because an attacker would
> probably have spoofed that address anyway.  [An attacker wouldn't ever
> get any response from that packet in any case.]

Attacker can get answer from a destination host. It's a ipfw between
if he willn't. Easy rule :)


> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message