From owner-freebsd-questions Mon Dec 8 14:06:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA18459 for questions-outgoing; Mon, 8 Dec 1997 14:06:17 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from mail.san.rr.com (ns.san.rr.com [204.210.0.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA18445 for ; Mon, 8 Dec 1997 14:06:11 -0800 (PST) (envelope-from Studded@dal.net) Received: from dal.net (dt051n19.san.rr.com [204.210.32.25]) by mail.san.rr.com (8.8.7/8.8.7) with ESMTP id OAA29887; Mon, 8 Dec 1997 14:06:53 -0800 (PST) Message-ID: <348C6F0D.34259927@dal.net> Date: Mon, 08 Dec 1997 14:05:01 -0800 From: Studded X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.5-STABLE i386) MIME-Version: 1.0 To: Kevin Quinlan CC: questions@freebsd.org Subject: Re: Fixes for land.c and F00F on 2.1.5/2.1.7 References: <433.199712082057@samba.isltd.insignia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Kevin Quinlan wrote: > > Hi, > > I have read the web page on your fixes for the SYN bug and the Pentium problem. > > I would like to apply fixes for both to systems that are running 2.1.5 > and 2.1.7 I understand that it might not be convenient for you to upgrade, but you really should work that into your plans at your earliest possible convenience. The reason being that the 2.1 branch has been locked in stone for about 6 months now, and if people like me have my way, it will never be touched again. Asking people who volunteer their time to fix something that you can and should fix yourself is frowned on. Fortunately for you, I have no say in things. :) The good news is that unless you allow untrusted users on your machines, the f00f bug is not a problem. If you do, upgrading to 2.2.5-Stable is your best bet anyway, since there are a number of other security problems fixed since the 2.1 days. The land.c bug can be solved with one line added to your firewall. If you haven't already, read up on ipfw, make the appropriate changes in /etc, compile a new kernel with ipfw, and reboot. You want a rule that prevents incoming packets that have the same address as the machine itself. I have the following rule on my machine: 00050 deny log ip from 204.210.32.25 to 204.210.32.25 in recv ep0 Hope this helps, Doug