On Sat, 27 Feb 1999 Roger Baker <bakerat_private> wrote: >I was one of a few beta testers outside Digital for Firewall98. I >pointed out a year ago this problem in the beta. Firewall98 was going >to be released with named 4.9.6. I raised hell, and they shipped 4.9.7 >with Firewall98. [...] >2) Better yet upgrade to Firewall98 which fixes this problem. Remember >that older software is more likely to have bugs. Firewall98 is more >stable than Firewall97. According to updated information about the BIND problem available at http://support.altavista-software.com/kb/solutions/firewall/general/259-042398.asp Bind 4.9.7 was shipped as part of AltaVista Firewall 98 for DIGITAL UNIX but inadvertently was not being used. So, after upgrading to Firewall 98 you will probably have to follow the instructions given on that page to enable the use of BIND-4.9.7. One more thing: IMHO I think that Firewall97 (what about Firewall98 ?)lacks a "linux-style" interface packet filter. The currently implemented interface packet filter can only filter packets by their IP source address to prevent IP spoofing attacks. The next layer is the screend (screening daemon) running on the firewall that decides whether to forward a packet or redirect it to a proxy server or not based on IP source/destination address, protocol and source/destination port of the packet (this corresponds to the forwarding rules on a linux packet filter). However, unlike the linux packet filter the Firewall97 interface packet filter can not be used to protect the firewall itself by specifying appropriate input rules based on IP source/destination address, protocol and source/destination port. Thus, all the network daemons running on the firewall that are used only by localhost (e.g. named and some authentication servers on Firewall97) are unnecessarily potential targets. Maybe I'm a bit paranoid, but I think that in computer and network security one should not rely on any software to be free of security relevant bugs. -- Jochen Bauer Institute for Theoretical Physics University of Stuttgart Germany PGP public key available from: http://www.theo2.physik.uni-stuttgart.de/jtb.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:57 PDT