[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linux Firewalls/Routers - 3rd Round
- To: Eli Marmor <marmor(at-nospam)netmask.it>
- Subject: Re: Linux Firewalls/Routers - 3rd Round
- From: Dani Arbel <darbel(at-nospam)techunix.technion.ac.il>
- Date: Tue, 30 Oct 2001 12:27:04 +0200 (IST)
- Cc: <linux-il(at-nospam)linux.org.il>
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <3BDE70A1.2879006F@netmask.it>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Eli,
It is a bit difficult to ignore this bug problem, because any firewall
based on iptables will not be better than iptables itself.
The bug with conntrack related status was reported to be solved long ago.
So is it just a fear of unknown similar bugs or known unpublished bugs?
The original bug report and analysis reveal minor threat to most of us:
one has to be loged in to the fw to exploit it (start an FTP session on
server X , run a service on the local machine on high port Y , send a port
command to server X with port number Y then connect from server X to port
Y with the correct client).
Dani
On Tue, 30 Oct 2001, Eli Marmor wrote:
> To Oleg, Dani, Tzahi, and everybody else:
>
> First, disclaimer: The following is based on what I HAVE UNDERSTOOD. I
> may be wrong, since I've never heard an exact description of the
> problem, and I'm not an expert in iptables...
>
> The security problems are really connected to already established
> sessions which change ports in the middle, like FTP.
> But the bug you all mentioned, is only a symptom, according to what I
> have learned from hints of hackers, and the problem is the design.
>
> I guess that Linus and others are afraid that more similar bugs will be
> discovered in the future, or already discovered.
>
> This is really scaring.
>
> But please ignore this issue, and try to contribute to the main subject
> of the thread - the Linux 2.4 based firewalls/routers, that I mentioned
> in the starting message of the thread.
>
> --
> Eli Marmor
> marmor@netmask.it
> CTO, Founder
> Netmask (El-Mar) Internet Technologies Ltd.
> __________________________________________________________
> Tel.: +972-9-766-1020 8 Yad-Harutzim St.
> Fax.: +972-9-766-1314 P.O.B. 7004
> Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il