Re: Linux 2.1.x Firewalling code broked

[rct () MERKIN CSAP AF MIL (Bob Tracy - TDS)]

Darren Reed wrote:
> ----- Forwarded message from Bob Tracy - TDS -----
>
> Subject: Linux 2.1.X ENskip fixed!
> Date: Fri, 15 May 1998 09:07:39 -0500 (CDT)
>
> It took a few days, but I found the problem.  It turns out that the
> IP firewall code in Linux 2.1.X has been broken for a long time,
> probably since early in the 2.1.X networking development cycle.
> Specifically, not all the paths between the IPv4 layer and the physical
> layer are covered by the firewall code, and in particular, the path
> taken by a SYN_ACK packet ( ip_build_and_send_pkt() ) is not covered.

"Broken" is too strong a word in the above context for the readers of
BUQTRAQ, which is why I didn't post the quoted message here :-(.  I
defend the term as accurate, but decry the implied "The sky is falling!".

I personally consider the problem to be at worst an annoyance.  Worst
case, only a *small* minority of outbound packets reach the physical
layer via the ip_build_and_send_pkt() function.  In any event, the fix
is in, and should be available as part of one of the upcoming 2.1.X
distributions (maybe as early as 2.1.103: 2.1.102 was released hours
ago).

A gentle reminder to BUGTRAQ readers is in order: computer/network
security is a risk-management function.  If folks are running development
code (kernel or otherwise) in a production environment, the risk should
be obvious.  The non-obvious part is whether the risk is acceptable.

--
Bob Tracy               | "Microsoft's biggest and most dangerous
Trident Data Systems    |  contribution to the software industry may
AFIWC/TIPER             |  be the degree to which it has lowered user
rct () merkin csap af mil  |  expectations."       - Esther Schlindler
                                                  OS/2 Magazine