Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Jan 2002 22:23:08 +0200
From:      Barry Irwin <bvi@itouchlabs.com>
To:        alexus <ml@db.nexgen.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Fw: -1 refuse ?
Message-ID:  <20020122222308.B32746@itouchlabs.com>
In-Reply-To: <007f01c1a381$669739e0$0d00a8c0@alexus>; from ml@db.nexgen.com on Tue, Jan 22, 2002 at 03:14:04PM -0500
References:  <007f01c1a381$669739e0$0d00a8c0@alexus>
next in thread | previous in thread | raw e-mail | index | archive | help 

from ipfw(8) man page:

FINE POINTS
     o   There is one kind of packet that the firewall will always discard,
         that is a TCP packet's fragment with a fragment offset of one. 
This
         is a valid packet, but it only has one use, to try to circumvent
         firewalls.  When logging is enabled, these packets are reported as
         being dropped by rule -1.


this is caught by the kernel, an not by your rules listed below.

ICMP redirects probably have nothing to do with this.

Barry


On Tue 2002-01-22 (15:14), alexus wrote:
> 
> or like other day i got this
> 
> icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100
> icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100
> icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100
> icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100
> icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100
> 
> Subject: -1 refuse ?
> 
> 
> i just never seen anythin like that
> 
> ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8)
> ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8)
> ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8)
> ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8)
> 
> c# ipfw show|grep deny
> 00200         0            0 deny ip from any to 127.0.0.0/8
> 00300         0            0 deny ip from 127.0.0.0/8 to any
> 01313        11          528 deny tcp from any to any 65535 in recv fxp0
> 03306         0            0 deny tcp from any to any 3306 in recv fxp0
> 65535         1           60 deny ip from any to any
> c#
> 
> which rule it did deny??
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
> 
> 

--
Barry Irwin		bvi@itouchlabs.com			+27214875150
Systems Administrator: Networks And Security
Itouch Labs 		http://www.itouchlabs.com		South Africa


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020122222308.B32746>