From owner-freebsd-security  Tue Feb 18 14: 5:13 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 000DC37B401
	for <freebsd-security@freebsd.org>; Tue, 18 Feb 2003 14:05:10 -0800 (PST)
Received: from skyweb.ca (smtp-2.vancouver.ipapp.com [216.152.192.208])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3FDBF43FA3
	for <freebsd-security@freebsd.org>; Tue, 18 Feb 2003 14:05:10 -0800 (PST)
	(envelope-from mjohnston@skyweb.ca)
Received: from mjohnston ([209.5.243.50]) by smtp-2.vancouver.ipapp.com ; Tue, 18 Feb 2003 14:05:07 -0800
From: "Mark Johnston" <mjohnston@skyweb.ca>
To: "'Brad Holman'" <brad@s4f.com>
Cc: <freebsd-security@freebsd.org>
Subject: Re: ipfw ecn issue(s)
Date: Tue, 18 Feb 2003 16:09:54 -0600
Message-ID: <002701c2d79a$77def0f0$be0fa8c0@MJOHNSTON>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
In-Reply-To: <OIEGKLCBDIHAHPKEPAJDEECJCKAA.brad@s4f.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Brad Holman wrote:
> According to the REL notes for v5.0R
> (http://www.freebsd.org/releases/5.0R/DP1/relnotes-i386.html), there
> is a fix incorporated for the issue:
> 
> "ipfw(4) now filters correctly in the presence of ECN bits in TCP
> segments."
> 
> Is there a patch for version 4.x that can fix the problem without
> having to upgrade?

It looks like ipfw's ECN handling was fixed in 4-STABLE (and RELENG_3)
back in January 2001, with rev 1.131.2.11 to RELENG_4.  If you're using
STABLE (or any 4.x) from after January 2001, you should be OK.  You can
also tell that the bug fix was merged to 4.x by the "[MERGED]" text in
the release notes.

If you're running something older than January 2001, you may be able to
come up with your own patch; check 
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw.c, revision
1.131.2.11, for the changes.

Mark


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message