Date: Tue, 25 Jan 2000 10:08:12 +0200 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: Mike Tancsa <mike@sentex.net> Cc: questions@FreeBSD.org Subject: Re: rule -1 on ipfw Message-ID: <20000125100812.A32413@relay.ucb.crimea.ua> In-Reply-To: <3.0.5.32.20000124131838.01ce4e10@staff.sentex.ca>; from Mike Tancsa on Mon, Jan 24, 2000 at 01:18:38PM -0500 References: <3.0.5.32.20000124131838.01ce4e10@staff.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 24, 2000 at 01:18:38PM -0500, Mike Tancsa wrote: > > What would trigger something like this in my logs > > ipfw: -1 Refuse TCP 209.226.155.246 my.ip.address. in via fxp0 Fragment = 185 > > when I have > > 00100 166968 24813244 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00250 0 0 deny log logamount 21000 tcp from any to any 8007 in > recv fxp0 > 65000 826281 482465357 allow ip from any to any > > Its a STABLE box as of today. > This is documented in the ipfw(8) manpage: : There is one kind of packet that the firewall will always discard, that : is an IP fragment with a fragment offset of one. This is a valid packet, : but it only has one use, to try to circumvent firewalls. See RFC1858 (Security Considerations for IP Fragment Filtering) for details. Cheers, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000125100812.A32413>