From owner-freebsd-security  Sat Jul 18 16:24:09 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA09713
          for freebsd-security-outgoing; Sat, 18 Jul 1998 16:24:09 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from nash.pr.mcs.net (nash.pr.mcs.net [204.95.47.72])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA09708
          for <freebsd-security@FreeBSD.ORG>; Sat, 18 Jul 1998 16:24:06 -0700 (PDT)
          (envelope-from alex@nash.pr.mcs.net)
Received: (from alex@localhost)
	by nash.pr.mcs.net (8.8.8/8.8.7) id SAA27596;
	Sat, 18 Jul 1998 18:22:07 -0500 (CDT)
	(envelope-from alex)
Message-Id: <199807182322.SAA27596@nash.pr.mcs.net>
Date: Sat, 18 Jul 1998 18:22:07 -0500 (CDT)
From: Alex Nash <nash@mcs.net>
Subject: Re: rc.firewall (was Re: Large-scale scan of SNMP ports)
To: andrew@squiz.co.nz
cc: maillist@oaks.com.au, freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.980719082909.3806A-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/plain; CHARSET=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 19 Jul, Andrew McNaughton wrote:
> Can anyone explain this...  Took place within a second while I've been
> writing this, repeated 2 minutes later. yy.yy.yy.yy is a distant remote
> host
> 
> ipfw: 40000 Accept ICMP:8.0 yy.yy.yy.yy xx.xx.xx.xx in via de0
> ipfw: 40000 Accept ICMP:166.79 yy.yy.yy.yy xx.xx.xx.xx in via de0 Fragment = 69
> ipfw: 40010 Accept ICMP:0.0 xx.xx.xx.xx yy.yy.yy.yy out via de0
> 
> 
> Is the 79 in the middle line the port number of a fragmented packet? 

This is a bug, the ICMP type and subtype should not be displayed for
this fragmented packet (the information isn't present).

I'll commit a fix for this shortly.

Alex


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message