Firewall-1 Logging *Issue*

[frantzen () EXPERT CC PURDUE EDU (Mike Frantzen)]

Since BB wants some list traffic and I don't want to do math homework,
here goes.

While dinking with an eval version of Firewall-1 4.0 last summer,
I ran across an 'oddity' in the logging.

Brief backround:
        Ultra 2 w/ dual 200mhz
        Solaris 2.6 w/ recommend cluster (As of last summer)
        Firewall-1 4.0 (right off the CD, no patches)
                - Allow outgoing DNS and Telnet
                - Drop everything else

Using a tool of mine (http://expert.cc.purdue.edu/~frantzen/isic-0.04.tgz)
that was hurling around 3,000 tcp packets through the firewall.
The destination IP and ports were randomized but the source IP (source port,
tcp flags, ip/tcp options, the works, all randomized for every packet)

Now while watching the logs grow (really really fast), I saw that the
source IP was being diddled on.  For a few seconds of traffic, the source
IP was losing the high bit.  Ie, a 132.3.2.1 would become a 4.3.2.1.
The next few thousand packets would also have the wrong source IP.  After
a few seconds and a few thousand packets, the source IP would be reported
correctly in the log viewer.  Waiting awhile longer and it would drop the
MSB again.   Rinse, lather, and repeat.

Best guess is that the IP is being stored in an unsigned int and it gets
converted to a signed in and back to an unsigned somewhere.  I personally
feel that the occurs in the log condensing hash table but I couldn't
reliably reproduce it.

Note:  little endian machines (x86) will show the affects differently.

Shit, I guess this means I have to do math homework now.  Bah

later,
.mike