From owner-freebsd-hackers  Fri Feb 13 07:12:36 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA06552
          for freebsd-hackers-outgoing; Fri, 13 Feb 1998 07:12:36 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA06533
          for <hackers@FreeBSD.ORG>; Fri, 13 Feb 1998 07:12:08 -0800 (PST)
          (envelope-from nash@Jupiter.Mcs.Net)
Received: from Jupiter.Mcs.Net (nash@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id JAA05798; Fri, 13 Feb 1998 09:12:00 -0600 (CST)
Received: from localhost (nash@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) with SMTP id JAA25832; Fri, 13 Feb 1998 09:11:59 -0600 (CST)
Date: Fri, 13 Feb 1998 09:11:59 -0600 (CST)
From: Alex Nash <nash@Mcs.Net>
To: Chris Stenton <jacs@gnome.co.uk>
cc: hackers@FreeBSD.ORG
Subject: Re: ipfw and www browser problem
In-Reply-To: <199802131027.KAA00814@hawk.gnome.co.uk>
Message-ID: <Pine.BSF.3.95.980213090423.25501A-100000@Jupiter.Mcs.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 13 Feb 1998, Chris Stenton wrote:

> Feb 13 10:09:04 hawk /kernel: ipfw: 1900 Deny TCP 204.162.96.20 
> 193.243.228.133 in via ppp0 Fragment = 97
> 
> rule 1900 is
> 
> 01900  deny log tcp from any to any 87 via ppp0
> 
> 
> The error message against the rule does not make any sense to me. Why one 
> particular fragment?

Any fragmented packet (except the first fragment) which makes it to this
rule will be stopped due to a bug in ipfw.  The problem, put simply, is
that ipfw ignored the port specification because it didn't have the
information in the framgneted packet.  Your options are:

  - upgrade to the latest -stable or -current
  - try and hand merge the fix committed to sys/netinet/ip_fw.c into
    your tree
  - add a 'frag' rule somewhere before rule 1900, here's an example:
        ipfw add 1899 allow ip from any to any frag

Alex


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message