[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Linux Firewalls/Routers - 3rd Round



it was fixed long ago, by the netfilter core team, here:
http://netfilter.samba.org/security-fix/index.html
here is the patch, but i am pretty sure it is already incorporated in the latest kernels:
http://netfilter.samba.org/security-fix/ftp-security2.patch

* - * - *
Tzahi Fadida
Tzahi@mailandnews.com
Fax (+1 Outside the US) 240-597-3213
* - * - * - * - * - *


-----Original Message-----
From: linux-il-bounce@cs.huji.ac.il [mailto:linux-il-bounce@cs.huji.ac.il]On Behalf Of Dani Arbel
Sent: Monday, October 29, 2001 10:27 PM
To: linux-il@linux.org.il
Cc: Eli Marmor; linux-il@cs.huji.ac.il
Subject: Re: Linux Firewalls/Routers - 3rd Round


Hi!
I wonder if the small flow in the "related" state (part of the conntrack
module of iptables) is realy what backed Linus off iptables.In fact, if
you use ipchains you are constantly in a situation where you allow
incoming packets to high (random) ports, while the bug just allowed an
incoming packet from a specific host for a small time period (time needed
to start the tcp connection). This bug was fixed long time ago.
Is there an unpublished bug in iptables, known to the developers and
hackers only?
Dani


On 29 Oct 2001, Oleg Goldshmidt wrote:

> Eli Marmor <marmor@netmask.it> writes:
>
> > > Don't use iptables. Go with 2.2.19 and ipchains. Iptables has a
> > > security exploit which I and many others can use to enter your
> > > network.
> >
> > After being amazed by this warning, I asked for more details, and he
> > responded:
> >
> > > It might have been fixed since, but last time I talked with Linus about
> > > it (around 25th of September, I believe) he was very much aware of this
> > > problem and in fact he said that at home he is still using 2.2.19 for
> > > firewalling.
>
> Is this what Moshe means?
>
> http://www.sfu.ca/~siegert/linux-security/msg00048.html
> http://www.sfu.ca/~siegert/linux-security/msg00059.html
>
> This, however, was fixed in June:
>
> http://www.redhat.com/support/errata/RHSA-2001-084.html
>
> Anything else?
>
> There have been 3 (2.4) kernel versions in October:
>
> ftp://ftp.kernel.org/pub/linux/kernel/v2.4
>
> --
> Oleg Goldshmidt | ogoldshmidt@NOSPAM.computer.org
> "If it ain't broken, it has not got enough features yet."
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il


To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il