From owner-freebsd-ipfw  Sun Mar 12 21:53:53 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 1056B37B592
	for <freebsd-ipfw@FreeBSD.ORG>; Sun, 12 Mar 2000 21:53:48 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id AAA08844;
	Mon, 13 Mar 2000 00:55:04 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Date: Mon, 13 Mar 2000 00:55:04 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Luigi Rizzo <luigi@info.iet.unipi.it>
Cc: Mike Heffner <spock@techfour.net>, freebsd-ipfw@FreeBSD.ORG
Subject: Re: ipfw doesn't match when src == dest
In-Reply-To: <200003130545.GAA89213@info.iet.unipi.it>
Message-ID: <Pine.NEB.3.96L.1000313005405.6734F-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Actually, this post was with regards to the fragment handling comment you
made, and not the buffer problem, to which I'll commit the patch for
shortly.  Could you comment on the potential accuracy of my observations
about over-zealous dropping of fragments? :-)



On Mon, 13 Mar 2000, Luigi Rizzo wrote:

> Hi,
> the original poster found out the problem -- a call to inet_ntoa()
> (or similar function) which returned a ptr to a static buffer was used
> twice in the same function, with obvious results.
> 
> 	cheers
> 	luigi
> > 
> > > > Hello,
> > > > 
> > > > When I recently redid my firewall, I wanted to block a strange packet from my
> > > > cablemodem, 
> > > > 
> > > > Deny P:2 192.168.100.1 192.168.100.1 in via ed1
> > > 
> > > are you sure that the logging code prints the right thing ?
> > > I noticed (from source code analysis) it does strange things with
> > > fragments, it might as well misbehave with short packets etc.
> > 
> > Having spent about two minutes looking at the ipfw code, it looks like
> > there are no false accepts for ultra-fragmented UDP/TCP/ICMP packets
> 
> 


  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message