[6778] in bugtraq
Re: Linux 2.1.x Firewalling code broked
daemon@ATHENA.MIT.EDU (Bob Tracy - TDS)
Fri May 15 17:10:28 1998
Date: Fri, 15 May 1998 14:01:42 -0500
Reply-To: Bob Tracy - TDS <rct@MERKIN.CSAP.AF.MIL>
From: Bob Tracy - TDS <rct@MERKIN.CSAP.AF.MIL>
X-To: darrenr@REED.WATTLE.ID.AU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199805151511.BAA22559@avalon.reed.wattle.id.au> from Darren Reed
at "May 16, 98 01:11:17 am"
Darren Reed wrote:
> ----- Forwarded message from Bob Tracy - TDS -----
>
> Subject: Linux 2.1.X ENskip fixed!
> Date: Fri, 15 May 1998 09:07:39 -0500 (CDT)
>
> It took a few days, but I found the problem. It turns out that the
> IP firewall code in Linux 2.1.X has been broken for a long time,
> probably since early in the 2.1.X networking development cycle.
> Specifically, not all the paths between the IPv4 layer and the physical
> layer are covered by the firewall code, and in particular, the path
> taken by a SYN_ACK packet ( ip_build_and_send_pkt() ) is not covered.
"Broken" is too strong a word in the above context for the readers of
BUQTRAQ, which is why I didn't post the quoted message here :-(. I
defend the term as accurate, but decry the implied "The sky is falling!".
I personally consider the problem to be at worst an annoyance. Worst
case, only a *small* minority of outbound packets reach the physical
layer via the ip_build_and_send_pkt() function. In any event, the fix
is in, and should be available as part of one of the upcoming 2.1.X
distributions (maybe as early as 2.1.103: 2.1.102 was released hours
ago).
A gentle reminder to BUGTRAQ readers is in order: computer/network
security is a risk-management function. If folks are running development
code (kernel or otherwise) in a production environment, the risk should
be obvious. The non-obvious part is whether the risk is acceptable.
--
Bob Tracy | "Microsoft's biggest and most dangerous
Trident Data Systems | contribution to the software industry may
AFIWC/TIPER | be the degree to which it has lowered user
rct@merkin.csap.af.mil | expectations." - Esther Schlindler
OS/2 Magazine
