From owner-freebsd-security  Sat May 19 11:57:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from be-well.ilk.org (lowellg.ne.mediaone.net [24.147.184.128])
	by hub.freebsd.org (Postfix) with ESMTP id DB19B37B42C
	for <freebsd-security@freebsd.org>; Sat, 19 May 2001 11:57:50 -0700 (PDT)
	(envelope-from lowell@be-well.ilk.org)
Received: (from lowell@localhost)
	by be-well.ilk.org (8.11.3/8.11.3) id f4JIvoG32866;
	Sat, 19 May 2001 14:57:50 -0400 (EDT)
	(envelope-from lowell)
To: freebsd-security@freebsd.org
Subject: Re: IPFW Rule -1 Always = Attack?
References: <200105181518.WAA12362@bazooka.cs.ait.ac.th> <046c01c0dfc0$833e7fc0$213cd3cf@loop.com>
From: Lowell Gilbert <lowell@world.std.com>
Date: 19 May 2001 14:57:50 -0400
In-Reply-To: dwplists@loop.com's message of "18 May 2001 19:32:59 +0200"
Message-ID: <44y9rtf9ox.fsf@lowellg.ne.mediaone.net>
Lines: 19
X-Mailer: Gnus v5.7/Emacs 20.7
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

dwplists@loop.com (D. W. Piper) writes:

> If I understand things correctly from the archives and the IPFW man
> page, IPFW rule -1 is built into the firewall, and only applies to
> rejecting IP fragments with a fragment offset of one.  The man page
> further states, "This is a valid packet, but it only has one use, to try
> to circumvent firewalls."
> 
> Does that mean that every packet dropped by rule -1 indicates a
> deliberate attempt to circumvent the firewall, and should be reported to
> the appropriate network administrator for the source IP address?

It's *possible* that the rule could be triggered by something that
wasn't an attack.  Thinking about it briefly, it seems slightly more
likely that it's part of a probe, rather than an actual attack
However, reporting to the network administrator for that address is
almost certainly useless in any case, because an attacker would
probably have spoofed that address anyway.  [An attacker wouldn't ever
get any response from that packet in any case.]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message