OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ipfw log entry
From: Brian Somers (brianAwfulhak.org)
Date: Fri Jun 16 2000 - 16:48:02 CDT

> On Fri, 16 Jun 2000, Mike Tancsa wrote:
>
> > At 05:14 AM 6/17/00 +1000, Ian Smith wrote:
> > >As I mentioned to John, this host is res6.geocities.com. We see these
> > >here usually in big batches, perhaps about once a month on average, eg:
> > >
> > >May 22 18:14:39 gaia /kernel:
> > > ipfw: 65000 Count TCP 209.1.224.16 203.41.52.xxx in via tun0 Fragment = 147
> >
> > I thought I recognized that IP address...
> >
> > ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147
> > ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147
> >
> > Sheesh! We lots of this in our logs as well.
>
> Ditto. I get these quite often.
>
> ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147
> ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147
> ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147
>
> Anyone figured out what/who this is yet?

It's a problem in the firewall code - I think because of assumptions
about minimum lengths of packets. I didn't figure this out, but I
talked to luigi about it a couple of weeks ago.

> -- Chris Dillon - cdillonwolves.k12.mo.us - cdilloninter-linc.net
> FreeBSD: The fastest and most stable server OS on the planet.
> For Intel x86 and Alpha architectures. ( http://www.freebsd.org ) 

-- 
Brian <brianAwfulhak.org>                        <brian[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message