Chris Buechler wrote:
> Unless you disabled logging on the default rules, had it hit the
> firewall rules it would have gotten logged under any circumstance.
Yay. Not good enough, I say.
> I'm quite certain that a packet with a bad TCP checksum won't get far
> enough into the kernel to even get to the firewall. Does *any*
> general purpose OS actually pass packets with bad TCP checksums so far
> in the stack that they hit the firewall?
But that's not an excuse for not logging the packets when they're being dropped.
> That may not even make it past the hardware on some NIC's.
I doubt that's the case, I've seen commercial firewalls that log when
dropping packets due to TCP corruption.
Then again, maybe you're right, I'm not so much into the
technicalities of rx checksum offloading that I know whether enabling
that will silence those packets completely or not.
> I don't think any firewall is going to log that unless the OS logs
> received packets that are screwed up.
As far as I'm concerned, a firewall should log all packets it's
dropping, regardless of cause. Therefore my personal attitude towards
this is that m0n0wall is missing a hook into the OS somewhere,
allowing it to log this stuff. Or maybe the OS is missing a feature
that would enable it to log such events to the syslog by itself.
> dare I even ask how that happened....
Seems so :)
Piped traffic from a virtual machine through a software bridge onto a
VLAN, circumventing the hypervisor's
detect-when-packets-are-physically-leaving-the-machine logic, which
would otherwise cause it to poke the physical network adapter such
that it applies a checksum.