Skip site navigation (1)Skip section navigation (2)
Date:      19 May 2001 14:57:50 -0400
From:      Lowell Gilbert <lowell@world.std.com>
To:        freebsd-security@freebsd.org
Subject:   Re: IPFW Rule -1 Always = Attack?
Message-ID:  <44y9rtf9ox.fsf@lowellg.ne.mediaone.net>
In-Reply-To: dwplists@loop.com's message of "18 May 2001 19:32:59 %2B0200"
References:  <200105181518.WAA12362@bazooka.cs.ait.ac.th> <046c01c0dfc0$833e7fc0$213cd3cf@loop.com>

next in thread | previous in thread | raw e-mail | index | archive | help
dwplists@loop.com (D. W. Piper) writes:

> If I understand things correctly from the archives and the IPFW man
> page, IPFW rule -1 is built into the firewall, and only applies to
> rejecting IP fragments with a fragment offset of one.  The man page
> further states, "This is a valid packet, but it only has one use, to try
> to circumvent firewalls."
> 
> Does that mean that every packet dropped by rule -1 indicates a
> deliberate attempt to circumvent the firewall, and should be reported to
> the appropriate network administrator for the source IP address?

It's *possible* that the rule could be triggered by something that
wasn't an attack.  Thinking about it briefly, it seems slightly more
likely that it's part of a probe, rather than an actual attack
However, reporting to the network administrator for that address is
almost certainly useless in any case, because an attacker would
probably have spoofed that address anyway.  [An attacker wouldn't ever
get any response from that packet in any case.]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44y9rtf9ox.fsf>