From owner-freebsd-stable Fri Apr 6 21:21:53 2001 Delivered-To: freebsd-stable@freebsd.org Received: from ns1.unixathome.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id F303637B422 for ; Fri, 6 Apr 2001 21:21:49 -0700 (PDT) (envelope-from dan@langille.org) Received: from wocker (root@ns1.unixathome.org [192.168.0.20]) by ns1.unixathome.org (8.11.3/8.11.3) with ESMTP id f374Lge45348; Sat, 7 Apr 2001 16:21:43 +1200 (NZST) (envelope-from dan@langille.org) Message-Id: <200104070421.f374Lge45348@ns1.unixathome.org> From: "Dan Langille" Organization: novice in training To: Matt Haught Date: Sat, 7 Apr 2001 00:21:29 -0400 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: IP Filter 3.4.17? Reply-To: dan@langille.org Cc: "stable@freebsd.org" In-reply-to: <01K22ZNJBR3K8Y5DVZ@marshall.edu> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is the second time this has been asked today. Are we asking in the right place? On 6 Apr 2001, at 14:38, Matt Haught wrote: > Is it too late to update ipfilter in -STABLE? 3.4.16 seems to have a > serious bug. Darren just sent out this to the ipfilter mailling list: > > -----snip---- > A *VERY* serious bug has been brought to my attention in IPFilter. > > In 10 words or less, fragment caching with can let through "any" > packet. > Ok, so that's 8. > > Cause > ===== > When matching a fragment, only srcip, dstip and IP ID# are checked and > the fragment cache is checked *before* any rules are checked. It does > not even need to be a fragment. Even if you block all fragments with > a rule, fragment cache entries can be created by packets that match > state information currently held. > ------snip---- > > -Matt > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php got any work? I'm looking for some. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message