Firewall Wizards mailing list archives
Re: OBSD reaction to CERT advisory
From: Daniel Hartmeier <daniel () benzedrine cx>
Date: Wed, 9 Oct 2002 16:05:29 +0200
On Wed, Oct 09, 2002 at 09:27:12AM -0400, Paul D. Robertson wrote:
http://www.kb.cert.org/vuls/id/AAMN-5EQPEF
Part of that statement is a quote from an (internal) email I sent in reply to the question whether OpenBSD was vulnerable. That explains the undiplomatic choice of words. The reason IPFilter is referenced is the fact that OpenBSD did ship with this packet filter prior to release 3.0, hence I think the vendor statement should include this distinction.
Statements like "The problem is in ipf" when there's been zero actual verification, let alone communication with the author should be taken as disinformation.
Look at the source, it's obvious that selective ACK retransmissions fool the in-kernel ftp proxy. I don't think it's necessary to provide an actual exploit to proof the vulnerability. If, after reading the source, you don't agree that IPFilter, in a configuration where the in-kernel ftp proxy should protect the ftp _server_, is vulnerable to this kind of attack, let me know. I strongly believe that placing any application level proxy at the packet filter layer is fundamentally flawed. Daniel _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- OBSD reaction to CERT advisory Paul D. Robertson (Oct 09)
- Re: OBSD reaction to CERT advisory Daniel Hartmeier (Oct 09)
- Re: OBSD reaction to CERT advisory Paul Robertson (Oct 09)
- Re: OBSD reaction to CERT advisory Daniel Hartmeier (Oct 09)
- Re: OBSD reaction to CERT advisory Darren Reed (Oct 09)
- Re: OBSD reaction to CERT advisory Daniel Hartmeier (Oct 10)
- Re: OBSD reaction to CERT advisory Darren Reed (Oct 10)
- Re: OBSD reaction to CERT advisory Daniel Hartmeier (Oct 10)
- Re: OBSD reaction to CERT advisory Darren Reed (Oct 10)
- Re: OBSD reaction to CERT advisory Paul Robertson (Oct 09)
- Re: OBSD reaction to CERT advisory Daniel Hartmeier (Oct 09)