From 32de50521303d5cc2a3feeb838f9c07f1956079b Mon Sep 17 00:00:00 2001
From: Dima Dorfman
Date: Fri, 16 Mar 2001 01:28:11 +0000
Subject: [PATCH] Explain that TCP fragments with an offset of 1 are reported
as being dropped by rule -1 if logging is enabled.
PR: 25796
Submitted by: Crist J. Clark
Approved by: nik
---
sbin/ipfw/ipfw.8 | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 5b8b82ee94a9..e2815fd86bf0 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1075,7 +1075,8 @@ There is one kind of packet that the firewall will always
discard, that is a TCP packet's fragment with a fragment offset of
one.
This is a valid packet, but it only has one use, to try
-to circumvent firewalls.
+to circumvent firewalls. When logging is enabled, these packets are
+reported as being dropped by rule -1.
.It
If you are logged in over a network, loading the
.Xr kld 4