From owner-freebsd-ipfw Thu Jan 24 14:48:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 7EAAD37B400 for ; Thu, 24 Jan 2002 14:48:07 -0800 (PST) Received: (qmail 98897 invoked from network); 24 Jan 2002 22:47:49 -0000 Received: from oxyetb.com (HELO alexus) (@66.92.98.145) by secure.nexgen.com with SMTP; 24 Jan 2002 22:47:49 -0000 Message-ID: <024e01c1a529$2eafa630$0d00a8c0@alexus> From: "alexus" To: "Barry Irwin" Cc: References: <007f01c1a381$669739e0$0d00a8c0@alexus> <20020122222308.B32746@itouchlabs.com> Subject: Re: Fw: -1 refuse ? Date: Thu, 24 Jan 2002 17:48:03 -0500 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG thank you for explanations ----- Original Message ----- From: "Barry Irwin" To: "alexus" Cc: Sent: Tuesday, January 22, 2002 3:23 PM Subject: Re: Fw: -1 refuse ? > from ipfw(8) man page: > > FINE POINTS > o There is one kind of packet that the firewall will always discard, > that is a TCP packet's fragment with a fragment offset of one. > This > is a valid packet, but it only has one use, to try to circumvent > firewalls. When logging is enabled, these packets are reported as > being dropped by rule -1. > > > this is caught by the kernel, an not by your rules listed below. > > ICMP redirects probably have nothing to do with this. > > Barry > > > On Tue 2002-01-22 (15:14), alexus wrote: > > > > or like other day i got this > > > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > > > Subject: -1 refuse ? > > > > > > i just never seen anythin like that > > > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > > > c# ipfw show|grep deny > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 01313 11 528 deny tcp from any to any 65535 in recv fxp0 > > 03306 0 0 deny tcp from any to any 3306 in recv fxp0 > > 65535 1 60 deny ip from any to any > > c# > > > > which rule it did deny?? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > -- > Barry Irwin bvi@itouchlabs.com +27214875150 > Systems Administrator: Networks And Security > Itouch Labs http://www.itouchlabs.com South Africa > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message