Bugtraq mailing list archives
Re: Linux 2.1.x Firewalling code broked
From: rct () MERKIN CSAP AF MIL (Bob Tracy - TDS)
Date: Fri, 15 May 1998 14:01:42 -0500
Darren Reed wrote:
----- Forwarded message from Bob Tracy - TDS ----- Subject: Linux 2.1.X ENskip fixed! Date: Fri, 15 May 1998 09:07:39 -0500 (CDT) It took a few days, but I found the problem. It turns out that the IP firewall code in Linux 2.1.X has been broken for a long time, probably since early in the 2.1.X networking development cycle. Specifically, not all the paths between the IPv4 layer and the physical layer are covered by the firewall code, and in particular, the path taken by a SYN_ACK packet ( ip_build_and_send_pkt() ) is not covered.
"Broken" is too strong a word in the above context for the readers of BUQTRAQ, which is why I didn't post the quoted message here :-(. I defend the term as accurate, but decry the implied "The sky is falling!". I personally consider the problem to be at worst an annoyance. Worst case, only a *small* minority of outbound packets reach the physical layer via the ip_build_and_send_pkt() function. In any event, the fix is in, and should be available as part of one of the upcoming 2.1.X distributions (maybe as early as 2.1.103: 2.1.102 was released hours ago). A gentle reminder to BUGTRAQ readers is in order: computer/network security is a risk-management function. If folks are running development code (kernel or otherwise) in a production environment, the risk should be obvious. The non-obvious part is whether the risk is acceptable. -- Bob Tracy | "Microsoft's biggest and most dangerous Trident Data Systems | contribution to the software industry may AFIWC/TIPER | be the degree to which it has lowered user rct () merkin csap af mil | expectations." - Esther Schlindler OS/2 Magazine
Current thread:
- Linux 2.1.x Firewalling code broked Darren Reed (May 15)
- Re: Linux 2.1.x Firewalling code broked Bob Tracy - TDS (May 15)