From owner-freebsd-ipfw@FreeBSD.ORG  Thu Jul  3 08:00:32 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C3ED837B4A9
	for <ipfw@hub.freebsd.org>; Thu,  3 Jul 2003 08:00:32 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 70FE144015
	for <ipfw@hub.freebsd.org>; Thu,  3 Jul 2003 08:00:32 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h63F0WUp054800
	for <ipfw@freefall.freebsd.org>; Thu, 3 Jul 2003 08:00:32 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h63F0W8w054799;
	Thu, 3 Jul 2003 08:00:32 -0700 (PDT)
Date: Thu, 3 Jul 2003 08:00:32 -0700 (PDT)
Message-Id: <200307031500.h63F0W8w054799@freefall.freebsd.org>
To: ipfw@FreeBSD.org
From: Maxim Konovalov <maxim@macomnet.ru>
Subject: Re: kern/51341
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Maxim Konovalov <maxim@macomnet.ru>
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2003 15:00:33 -0000

The following reply was made to PR kern/51341; it has been noted by GNATS.

From: Maxim Konovalov <maxim@macomnet.ru>
To: Andrey Lakhno <land@dnepr.net>
Cc: bug-followup@freebsd.org, luigi@freebsd.org
Subject: Re: kern/51341
Date: Thu, 3 Jul 2003 18:53:35 +0400 (MSD)

 Hello Andrey,
 
 Here is another workaround: add a following rule before any icmp deny
 rules:
 
 	ipfw add pass icmp from any to any frag
 
 I would like to describe the problem in two words.  Please consider a
 next rule:
 
 	deny icmp from any to any icmptype 5
 
 Consider we get an icmp fragment.  In fact, it does not consist
 information about its type and due to the discussed bug ipfw1 will
 terminate the search and drop it.  ipfw2 behaviour is different: if we
 do not know about icmp type of the packet do not terminate the search
 and check the packet against next rule.
 
 At the moment I really do not want to fix this bug because it changes
 a filtering policy and may have a negative effect to countless
 installations.
 
 Please let me know if you are satisfied with my explanation and I can
 close the PR.
 
 Thanks!
 
 -- 
 Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org