Date: Mon, 08 Dec 1997 14:05:01 -0800 From: Studded <Studded@dal.net> To: Kevin Quinlan <Kevin.Quinlan@isltd.insignia.com> Cc: questions@freebsd.org Subject: Re: Fixes for land.c and F00F on 2.1.5/2.1.7 Message-ID: <348C6F0D.34259927@dal.net> References: <433.199712082057@samba.isltd.insignia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin Quinlan wrote: > > Hi, > > I have read the web page on your fixes for the SYN bug and the Pentium problem. > > I would like to apply fixes for both to systems that are running 2.1.5 > and 2.1.7 I understand that it might not be convenient for you to upgrade, but you really should work that into your plans at your earliest possible convenience. The reason being that the 2.1 branch has been locked in stone for about 6 months now, and if people like me have my way, it will never be touched again. Asking people who volunteer their time to fix something that you can and should fix yourself is frowned on. Fortunately for you, I have no say in things. :) The good news is that unless you allow untrusted users on your machines, the f00f bug is not a problem. If you do, upgrading to 2.2.5-Stable is your best bet anyway, since there are a number of other security problems fixed since the 2.1 days. The land.c bug can be solved with one line added to your firewall. If you haven't already, read up on ipfw, make the appropriate changes in /etc, compile a new kernel with ipfw, and reboot. You want a rule that prevents incoming packets that have the same address as the machine itself. I have the following rule on my machine: 00050 deny log ip from 204.210.32.25 to 204.210.32.25 in recv ep0 Hope this helps, Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?348C6F0D.34259927>