Aiee :)
Hello!
> Can anyone tell me what these log file entries mean?
>
>
> Jun 8 12:30:02 ruby kernel: Suspect short first fragment.
> Jun 8 12:30:02 ruby kernel: eth0 PROTO=6 212.140.74.85:0 195.138.224.3:0
> L=20 S=0x00 I=38663 F=0x6000 T=21 (#0)
> Jun 8 12:30:05 ruby kernel: Suspect short first fragment.
> Jun 8 12:30:05 ruby kernel: eth0 PROTO=6 212.140.74.85:0 195.138.224.3:0
> L=20 S=0x00 I=38919 F=0x6000 T=21 (#0)
I guess that someone (212.140.74.85) is trying to send to you a
fragmented TCP segment.
There are, at least, two points because this shouldn't happen, IMHO:
1 - TCP never send fragmented segs (if PMTU is - by default - active).
(so this is strange).
2 - This should be an attempt to open a firewalled service by means
of fragment overlaps.
The linux firewall software deals that as stated in net/ipv4/ip_fw.c:
offset = (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req);
/* If it is a truncated first fragment then it can be
* used to rewrite port information, and thus should
* be blocked.
*/
if (offset && (ntohs(ip->frag_off) & IP_MF)) {
if (!testing && net_ratelimit()) {
printk("Suspect short first fragment.\n");
dump_packet(ip,rif,NULL,NULL,0,0,0,0);
}
return FW_BLOCK;
}
Hope this helps (and it's right ;))
bye bye
-- gg sullivan
>
>
> Regards,
>
> AW
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
--
Lorenzo Cavallaro `Gigi Sullivan' <[EMAIL PROTECTED]>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
