Date: Fri, 13 Feb 1998 09:11:59 -0600 (CST) From: Alex Nash <nash@Mcs.Net> To: Chris Stenton <jacs@gnome.co.uk> Cc: hackers@FreeBSD.ORG Subject: Re: ipfw and www browser problem Message-ID: <Pine.BSF.3.95.980213090423.25501A-100000@Jupiter.Mcs.Net> In-Reply-To: <199802131027.KAA00814@hawk.gnome.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 13 Feb 1998, Chris Stenton wrote:
> Feb 13 10:09:04 hawk /kernel: ipfw: 1900 Deny TCP 204.162.96.20
> 193.243.228.133 in via ppp0 Fragment = 97
>
> rule 1900 is
>
> 01900 deny log tcp from any to any 87 via ppp0
>
>
> The error message against the rule does not make any sense to me. Why one
> particular fragment?
Any fragmented packet (except the first fragment) which makes it to this
rule will be stopped due to a bug in ipfw. The problem, put simply, is
that ipfw ignored the port specification because it didn't have the
information in the framgneted packet. Your options are:
- upgrade to the latest -stable or -current
- try and hand merge the fix committed to sys/netinet/ip_fw.c into
your tree
- add a 'frag' rule somewhere before rule 1900, here's an example:
ipfw add 1899 allow ip from any to any frag
Alex
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980213090423.25501A-100000>