[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux Firewalls/Routers - 3rd Round



If my limited understanding of IP Tables is correct, you can take your 
IPChains policy as is, and further tighten it by adding the "RELATED" 
keyword to some rules.

If that is correct, the worst a netfilter bug can do is revert you to 
your IP Chains policy.

Assuming all of the above is correct, can someone please explain to me 
why NOT switch to IP Tables?

            Shachar

Disclaimer:
This is a call for more information. Not an advice. In any case, don't 
quote me as the reason for any security decision you make, unless you 
happen to be my employer.

Eli Marmor wrote:

>To Oleg, Dani, Tzahi, and everybody else:
>
>First, disclaimer: The following is based on what I HAVE UNDERSTOOD. I
>may be wrong, since I've never heard an exact description of the
>problem, and I'm not an expert in iptables...
>
>The security problems are really connected to already established
>sessions which change ports in the middle, like FTP.
>But the bug you all mentioned, is only a symptom, according to what I
>have learned from hints of hackers, and the problem is the design.
>
>I guess that Linus and others are afraid that more similar bugs will be
>discovered in the future, or already discovered.
>
>This is really scaring.
>
>But please ignore this issue, and try to contribute to the main subject
>of the thread - the Linux 2.4 based firewalls/routers, that I mentioned
>in the starting message of the thread.
>




=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il