[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linux Firewalls/Routers - 3rd Round
- To: <linux-il(at-nospam)linux.org.il>
- Subject: Re: Linux Firewalls/Routers - 3rd Round
- From: Dani Arbel <darbel(at-nospam)techunix.technion.ac.il>
- Date: Mon, 29 Oct 2001 22:26:41 +0200 (IST)
- Cc: Eli Marmor <marmor(at-nospam)netmask.it>, <linux-il(at-nospam)cs.huji.ac.il>
- In-Reply-To: <m3wv1egrl2.fsf@hedwig.data-zoo.com>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Hi!
I wonder if the small flow in the "related" state (part of the conntrack
module of iptables) is realy what backed Linus off iptables.In fact, if
you use ipchains you are constantly in a situation where you allow
incoming packets to high (random) ports, while the bug just allowed an
incoming packet from a specific host for a small time period (time needed
to start the tcp connection). This bug was fixed long time ago.
Is there an unpublished bug in iptables, known to the developers and
hackers only?
Dani
On 29 Oct 2001, Oleg Goldshmidt wrote:
> Eli Marmor <marmor@netmask.it> writes:
>
> > > Don't use iptables. Go with 2.2.19 and ipchains. Iptables has a
> > > security exploit which I and many others can use to enter your
> > > network.
> >
> > After being amazed by this warning, I asked for more details, and he
> > responded:
> >
> > > It might have been fixed since, but last time I talked with Linus about
> > > it (around 25th of September, I believe) he was very much aware of this
> > > problem and in fact he said that at home he is still using 2.2.19 for
> > > firewalling.
>
> Is this what Moshe means?
>
> http://www.sfu.ca/~siegert/linux-security/msg00048.html
> http://www.sfu.ca/~siegert/linux-security/msg00059.html
>
> This, however, was fixed in June:
>
> http://www.redhat.com/support/errata/RHSA-2001-084.html
>
> Anything else?
>
> There have been 3 (2.4) kernel versions in October:
>
> ftp://ftp.kernel.org/pub/linux/kernel/v2.4
>
> --
> Oleg Goldshmidt | ogoldshmidt@NOSPAM.computer.org
> "If it ain't broken, it has not got enough features yet."
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il