From cjc@rfx-216-196-73-168.users.reflexcom.com  Wed Mar 14 00:56:40 2001
Return-Path: <cjc@rfx-216-196-73-168.users.reflexcom.com>
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id A789C37B718
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 14 Mar 2001 00:56:40 -0800 (PST)
	(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 14 Mar 2001 00:54:38 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2E8ui814762;
	Wed, 14 Mar 2001 00:56:44 -0800 (PST)
	(envelope-from cjc)
Message-Id: <200103140856.f2E8ui814762@rfx-216-196-73-168.users.reflexcom.com>
Date: Wed, 14 Mar 2001 00:56:44 -0800 (PST)
From: cjclark@reflexcom.com
Reply-To: cjclark@alum.mit.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw(8) manpage has no info on "Rule -1"
X-Send-Pr-Version: 3.2

>Number:         25796
>Category:       docs
>Synopsis:       ipfw(8) manpage has no info on "Rule -1"
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    dd
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 14 01:00:02 PST 2001
>Closed-Date:    Wed Apr 25 19:17:59 PDT 2001
>Last-Modified:  Wed Apr 25 19:18:07 PDT 2001
>Originator:     Crist J. Clark
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
>Environment:

	FreeBSD 4-STABLE and 5-CURRENT standard docs.

>Description:

	When logging is enabled in ipfw(8), it may report that packets
were dropped by "Rule -1." From examing the code, this can occur under
two conditions: (1) a call to m_pullup returns zero or (2) a TCP
fragment with an offset of 1 is encountered. For the first issue, I am
not enough of a kernel-mbuf guy to know exactly what the implications
are. However, for the second case, there is already text in the
ipfw(8) manpage spelling this out, but no reference to the fact this
is reported as "Rule -1."

>How-To-Repeat:

	Enable firewall logining and fire tiny, the smallest possible,
fragments at it to see "Rule -1." Use 'man ipfw' to review the
documentation. 

>Fix:

	A quick sentence in ipfw(8) should be a nice RTFM pointer
since this pops up frequently on the mail lists. A simple patch,


--- ipfw.8.orig Sat Feb 24 04:04:10 2001
+++ ipfw.8      Wed Mar 14 00:46:30 2001
@@ -1006,7 +1006,8 @@
 discard, that is a TCP packet's fragment with a fragment offset of
 one.
 This is a valid packet, but it only has one use, to try
-to circumvent firewalls.
+to circumvent firewalls. When logging is enabled, these packets are
+reported as being dropped by rule -1.
 .It
 If you are logged in over a network, loading the
 .Xr kld 4
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->dd 
Responsible-Changed-By: dd 
Responsible-Changed-When: Wed Mar 14 17:45:34 PST 2001 
Responsible-Changed-Why:  
I'll do this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25796 
State-Changed-From-To: open->suspended 
State-Changed-By: dd 
State-Changed-When: Thu Mar 15 17:28:12 PST 2001 
State-Changed-Why:  
Committed to -current, thanks!  I'll MFC this after the code freeze. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25796 
State-Changed-From-To: suspended->closed 
State-Changed-By: dd 
State-Changed-When: Wed Apr 25 19:17:59 PDT 2001 
State-Changed-Why:  
MFC'd. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25796 
>Unformatted:
