Date: 19 May 2001 14:57:50 -0400 From: Lowell Gilbert <lowell@world.std.com> To: freebsd-security@freebsd.org Subject: Re: IPFW Rule -1 Always = Attack? Message-ID: <44y9rtf9ox.fsf@lowellg.ne.mediaone.net> In-Reply-To: dwplists@loop.com's message of "18 May 2001 19:32:59 %2B0200" References: <200105181518.WAA12362@bazooka.cs.ait.ac.th> <046c01c0dfc0$833e7fc0$213cd3cf@loop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
dwplists@loop.com (D. W. Piper) writes: > If I understand things correctly from the archives and the IPFW man > page, IPFW rule -1 is built into the firewall, and only applies to > rejecting IP fragments with a fragment offset of one. The man page > further states, "This is a valid packet, but it only has one use, to try > to circumvent firewalls." > > Does that mean that every packet dropped by rule -1 indicates a > deliberate attempt to circumvent the firewall, and should be reported to > the appropriate network administrator for the source IP address? It's *possible* that the rule could be triggered by something that wasn't an attack. Thinking about it briefly, it seems slightly more likely that it's part of a probe, rather than an actual attack However, reporting to the network administrator for that address is almost certainly useless in any case, because an attacker would probably have spoofed that address anyway. [An attacker wouldn't ever get any response from that packet in any case.] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44y9rtf9ox.fsf>