From 32de50521303d5cc2a3feeb838f9c07f1956079b Mon Sep 17 00:00:00 2001
From: Dima Dorfman <dd@FreeBSD.org>
Date: Fri, 16 Mar 2001 01:28:11 +0000
Subject: [PATCH] Explain that TCP fragments with an offset of 1 are reported
 as being dropped by rule -1 if logging is enabled.

PR:		25796
Submitted by:	Crist J. Clark <cjclark@alum.mit.edu>
Approved by:	nik
---
 sbin/ipfw/ipfw.8 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 5b8b82ee94a9..e2815fd86bf0 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1075,7 +1075,8 @@ There is one kind of packet that the firewall will always
 discard, that is a TCP packet's fragment with a fragment offset of
 one.
 This is a valid packet, but it only has one use, to try
-to circumvent firewalls.
+to circumvent firewalls. When logging is enabled, these packets are
+reported as being dropped by rule -1.
 .It
 If you are logged in over a network, loading the
 .Xr kld 4