Date: Thu, 24 Jan 2002 17:48:03 -0500 From: "alexus" <ml@db.nexgen.com> To: "Barry Irwin" <bvi@itouchlabs.com> Cc: <freebsd-ipfw@freebsd.org> Subject: Re: Fw: -1 refuse ? Message-ID: <024e01c1a529$2eafa630$0d00a8c0@alexus> References: <007f01c1a381$669739e0$0d00a8c0@alexus> <20020122222308.B32746@itouchlabs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
thank you for explanations ----- Original Message ----- From: "Barry Irwin" <bvi@itouchlabs.com> To: "alexus" <ml@db.nexgen.com> Cc: <freebsd-ipfw@freebsd.org> Sent: Tuesday, January 22, 2002 3:23 PM Subject: Re: Fw: -1 refuse ? > from ipfw(8) man page: > > FINE POINTS > o There is one kind of packet that the firewall will always discard, > that is a TCP packet's fragment with a fragment offset of one. > This > is a valid packet, but it only has one use, to try to circumvent > firewalls. When logging is enabled, these packets are reported as > being dropped by rule -1. > > > this is caught by the kernel, an not by your rules listed below. > > ICMP redirects probably have nothing to do with this. > > Barry > > > On Tue 2002-01-22 (15:14), alexus wrote: > > > > or like other day i got this > > > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > > > Subject: -1 refuse ? > > > > > > i just never seen anythin like that > > > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > > > c# ipfw show|grep deny > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 01313 11 528 deny tcp from any to any 65535 in recv fxp0 > > 03306 0 0 deny tcp from any to any 3306 in recv fxp0 > > 65535 1 60 deny ip from any to any > > c# > > > > which rule it did deny?? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > -- > Barry Irwin bvi@itouchlabs.com +27214875150 > Systems Administrator: Networks And Security > Itouch Labs http://www.itouchlabs.com South Africa > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?024e01c1a529$2eafa630$0d00a8c0>