1
|
Passed packet logged
|
passed(1)
|
Packet passed. The packet was passed by a rule that specified
the packet should also be logged.
|
256
|
Denied or no pass rule found
|
noRuleOrDenyRule(256)
|
Packet dropped because
it did not match any rule. Can also indicate that the packet's source address
was invalid for the network interface.
|
257
|
No connection
|
noState(257)
|
Packet dropped due to missing state information. The packet
was part of an existing, possibly legal session, but no session information
could be found. This could be due to the Screen timing out the connection,
the Screen being rebooted and losing session state, or a protocol violation
where the initial packets were not sent.
|
258
|
Out of memory
|
noMemory(258)
|
Packet dropped due to the lack of Screen memory.
The Screen could not create the session state due to a lack of real memory.
The Screen will accept new sessions when current sessions are closed.
|
259
|
Too many connections
|
tooManySessions(259)
|
Packet dropped because the maximum
number of sessions are already open. The Screen will accept a new session
when a current session of this type is closed.
|
260
|
Invalid port
|
invalidPort(260)
|
Packet dropped due to aninvalid port number
specification. An example is an FTP data session not on port 20.
|
261
|
Bad format
|
invalidFormat(261)
|
Packet dropped due to an invalid format. The
Screen determined that the packet did not match the service specified in the
rules.
|
262
|
Bad direction
|
invalidDirection(262)
|
Packet dropped due to invalid "direction."
For example, a DNS request was received when a DNS response was expected.
|
263
|
Too many responses
|
tooManyResponses(263)
|
Packet dropped due to too many responses.
The applicable rule specified a simple UDP exchange but the Screen received
multiple responses.
|
264
|
Too short
|
tooShort(264)
|
Packet dropped because it was too short for
the service specified.
|
265
|
Bad protocol
|
invalidProtocol(265)
|
Packet dropped because of an invalid
protocol identifier. For example, an RPC packet was not of protocol UDP or
TCP.
|
266
|
No port map
|
noPortmapEntry(266)
|
RPC packet dropped due to lack of port
mapping entry. An RPC packet was received on an invalid port. This can occur
when the Screen times out RPC portmap entries faster than
the end nodes.
|
267
|
Bad port map
|
invalidPortMapEntry(267)
|
RPC packet dropped due to invalid port
mapping entry. The portmapper specified that a different
RPC program resides on the port.
|
268
|
NIS protocol error
|
nisProtocolError(268)
|
NIS+ packet dropped due to protocol
error (not implemented).
|
269
|
Bad interface
|
invalidInterface(269)
|
Indicates a "bad policy."
This error message is typically caused by an invalid identity. The packet
was dropped because the encryption characteristics of the packet did not match
those specified in an otherwise matching rule. That is, the source address,
destination address, and service of the packet matched at least one rule,
but the encryption setting conflicted with what was received. Possible encryption
characteristic differences include the following:
-
The packet was received encrypted, but the rule specified
that it must be unencyrpted.
-
The packet was received unencrypted, but the rule specified
that it must encrypted.
-
One of the encryption parameters of the packet did not match
a parameter specified for the rule. For example, a mismatching key algorithm
was used or the wrong certificate was specified.
The encryption settings for the sender and the Screen
should be compared to verify that they are identical and that the correct
keys are being used.
|
270
|
Bad policy
|
invalidPolicy(270)
|
A SKIP packet matched an existing encryption
rule but had one or more parameters set incorrectly.
|
272
|
Bad source address
|
invalidSourceAddres(272)
|
Indicates a packet was dropped because
it was received on an interface where it was not expected; that is, the packet
was dropped owing to spoof-detection checks. If the source of the rejected
packet is supposed to be allowed on the interface, it should be added to the
address group assigned to the interface.
|
274
|
Fragment too big
|
fragmentTooBig(274)
|
Indicates a possible network attack.
|
275
|
Fragment overlap
|
fragmentOverlap(275)
|
A packet was fragmented while it was
in transit and the fragments contain redundant data. May indicate a network
attack.
|
277
|
cert not in rule
|
certNotInRule(277)
|
An inbound packet was decrypted for
which SKIP identities, algorithms, or version mismatched its rule
in the active policy. The packet was dropped. (See also Number 269 above.)
|
278
|
attempt to encrypt a decrypted
packet
|
invalidEncrypt(278)
|
An inbound packet was
decrypted for a rule which only indicates encryption. The packet was
dropped. (See also Number 269 above.)
|
279
|
no state associated with policy
|
noSKIPState(279)
|
An inbound packet
was decrypted for which no rule or state exists in the active policy. The
packet was dropped.
|
280
|
stale skip policy
|
staleSKIPPolicy(280)
|
An inbound packet was decrypted for
an old (stale) state entry. The packet was dropped.
|
281
|
illegal dest address
|
invalidDestinationAddress(281)
|
An outbound packet was
dropped because the destination was illegal on the interface of a screen
with destination address checking enabled (DEST_CHECK).
|