Date: Thu, 4 Sep 1997 17:11:06 +0200 (SAT) From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> To: mickey@deadline.snafu.de (Andreas S. Wetzel) Cc: bugs@FreeBSD.ORG Subject: Re: Bug in IPFW code ? Message-ID: <199709041511.RAA11819@oskar.nanoteq.co.za> In-Reply-To: <m0x6cgv-000Br6C@deadline.snafu.de> from "Andreas S. Wetzel" at "Sep 4, 97 04:15:25 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> 230 Deny log udp from any to 194.121.229.32/28 111 via sl0 > > This rule should drop udp packets to the sunrpc port coming in via interface > sl0. But instead it seems to deny random udp traffic to my network: > > Sep 4 16:13:09 gw-deadnet : /kernel: ipfw: 230 Deny UDP 130.83.22.1:17993 194.121.229.34:17732 in via sl0 Fragment = 123 Yes I also have experienced this problem, it has to do - as far as I can recall - with the sequence of how the check is done in ip_fw.c ... The fragments after the first one doesn't have the ports etc set any more, but some checks are still performed and sometimes they match and causes this to happen. A temporary solution is to set the MTU for the slip line to 1500 (this may degrade through put if you have a shaky line - I think) but seemed to solve the problem for now. You are runnng a 2.1.X releas, probably 2.1.7 right ??? I had a look at the filtering code in 2.2 and the sequence of checks has changed there and "should" solve this kind of problem. Reinier Bezuidenhout ################################################################### # # # R.N. Bezuidenhout NetSeq Firewall # # rbezuide@oskar.nanoteq.co.za http://www.nanoteq.com # # # ###################################################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709041511.RAA11819>