From owner-freebsd-questions Sun Feb 20 12:32: 0 2000 Delivered-To: freebsd-questions@freebsd.org Received: from logisticsoftware.co.nz (logisticsoftware.co.nz [202.37.163.1]) by hub.freebsd.org (Postfix) with ESMTP id 2653A37BF2D for ; Sun, 20 Feb 2000 12:31:55 -0800 (PST) (envelope-from jonc@logisticsoftware.co.nz) Received: from jonc.logisticsoftware.co.nz (jonc.logisticsoftware.co.nz [10.3.1.1]) by logisticsoftware.co.nz (8.9.3/8.9.3) with ESMTP id JAA11384; Mon, 21 Feb 2000 09:31:18 +1300 (NZDT) Received: (from jonc@localhost) by jonc.logisticsoftware.co.nz (8.9.3/8.9.3) id JAA01772; Mon, 21 Feb 2000 09:31:18 +1300 (NZDT) (envelope-from jonc) Date: Mon, 21 Feb 2000 09:31:18 +1300 From: Jonathan Chen To: cjclark@home.com Cc: Brian Gallucci , FreeBSD Subject: Re: IPFW Trouble Message-ID: <20000221093118.D1528@jonc.logisticsoftware.co.nz> References: <000501bf7bd8$a2c90a60$095aaed8@expnet.net> <20000220152945.B36373@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000220152945.B36373@cc942873-a.ewndsr1.nj.home.com>; from cjc@cc942873-a.ewndsr1.nj.home.com on Sun, Feb 20, 2000 at 03:29:45PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Feb 20, 2000 at 03:29:45PM -0500, Crist J. Clark wrote: > On Sun, Feb 20, 2000 at 11:28:16AM -0800, Brian Gallucci wrote: > > I noticed a -1 Refused in our logging, What does this mean ? > > > > ipfw: 700 Deny UDP 10.1.1.1:137 216.174.90.90:137 in via fxp0 > > ipfw: -1 Refuse TCP 195.36.173.44:1107 216.174.90.90:80 in via fxp0 > > ^^^^^^^^^^^^^^^^^^^^^ > > ipfw: 700 Deny UDP 10.0.0.4:137 216.174.90.90:137 in via fxp0 > > ipfw: 700 Deny UDP 10.0.0.4:137 216.174.90.90:137 in via fxp0 > > ipfw: -1 Refuse TCP 194.106.96.6:59409 216.174.90.90:80 in via fxp0 > > ^^^^^^^^^^^^^^^^^^^^^^^ > > ipfw: 4400 Deny TCP 24.147.67.6:3566 216.174.90.90:445 in via fxp0 > > > > Running FreeBSD 3.4 > > My guess is that rule 65535 is being printed as a 'short' rather than > an 'unsigned short.' Those messages would not happen to be generated > by a default deny? IIRC, the packet reject is generated by the "IP fragment with a fragment offset of one"; which is always rejected (it's in the FINE POINTS of the ipfw man-page). Jonathan Chen ---------------------------------------------------------------------- The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message