From owner-freebsd-security@FreeBSD.ORG Mon May 17 23:44:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D5D916A4CF for ; Mon, 17 May 2004 23:44:32 -0700 (PDT) Received: from mail.sharmannetworks.com (mail.sharmannetworks.com [210.8.93.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AC3443D3F for ; Mon, 17 May 2004 23:44:28 -0700 (PDT) (envelope-from freebsd@meijome.net) Received: from meijome.net ([192.168.1.129]) by mail.sharmannetworks.com over TLS secured channel with Microsoft SMTPSVC(5.0.2195.5329); Tue, 18 May 2004 16:44:25 +1000 Message-ID: <40A9B0C9.4040208@meijome.net> Date: Tue, 18 May 2004 16:44:25 +1000 From: Norberto Meijome User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-au, en, es, es-ar MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 May 2004 06:44:25.0870 (UTC) FILETIME=[8F896AE0:01C43CA3] Subject: Confirming my understanding of an ipf log line X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 06:44:32 -0000 Hi list, I saw this in my ipf.log (using ipfmon): 18/05/2004 15:57:21.092537 fxp0 @25:1 S w.x.y.z -> a.b.c.d PR tcp len 20 (40) frag 20@8 IN where : - fpx0 is my interface connected to the outside world - w.x.y.z is an IP not related to any system under our control - a.b.c.d is the public IP used for NATed traffic from our LAN. - @25:1 is : @1 block in log quick from any to any with short group 25 Does the "S" after @25:1 mean it was a packet too short to be true? What does the frag 20@8 mean? Thanks!! Beto