Date: Tue, 5 Nov 1996 23:03:13 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: cliff@st.simbirsk.su (Viacheslav Andreev) Cc: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Subject: Re: ip_fw.c - bug or feature ? Message-ID: <199611051207.EAA27875@freefall.freebsd.org> In-Reply-To: <199611050930.AA26920@mpool.st.simbirsk.su> from "Viacheslav Andreev" at Nov 5, 96 12:30:08 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Viacheslav Andreev, sie said: > > Hi! > > I am not shure, this is a bug or feature. > While trying to disable tcp traffic for some port, f.e. > > ipfw add 1070 deny log tcp from any to 192.168.0.1 80 > > , there are false dropping of fragmented (i.e. 2-nd and next-s without > tcp port info) packets of ftp traffic. IMHO, it is a result of > matching fragments over firewall rules with tcp port specs : bug. A rule with port fields or TCP flags to match should not match a fragment. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611051207.EAA27875>