Darren Reed wrote: > ----- Forwarded message from Bob Tracy - TDS ----- > > Subject: Linux 2.1.X ENskip fixed! > Date: Fri, 15 May 1998 09:07:39 -0500 (CDT) > > It took a few days, but I found the problem. It turns out that the > IP firewall code in Linux 2.1.X has been broken for a long time, > probably since early in the 2.1.X networking development cycle. > Specifically, not all the paths between the IPv4 layer and the physical > layer are covered by the firewall code, and in particular, the path > taken by a SYN_ACK packet ( ip_build_and_send_pkt() ) is not covered. "Broken" is too strong a word in the above context for the readers of BUQTRAQ, which is why I didn't post the quoted message here :-(. I defend the term as accurate, but decry the implied "The sky is falling!". I personally consider the problem to be at worst an annoyance. Worst case, only a *small* minority of outbound packets reach the physical layer via the ip_build_and_send_pkt() function. In any event, the fix is in, and should be available as part of one of the upcoming 2.1.X distributions (maybe as early as 2.1.103: 2.1.102 was released hours ago). A gentle reminder to BUGTRAQ readers is in order: computer/network security is a risk-management function. If folks are running development code (kernel or otherwise) in a production environment, the risk should be obvious. The non-obvious part is whether the risk is acceptable. -- Bob Tracy | "Microsoft's biggest and most dangerous Trident Data Systems | contribution to the software industry may AFIWC/TIPER | be the degree to which it has lowered user rctat_private | expectations." - Esther Schlindler OS/2 Magazine
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:41 PDT