From owner-freebsd-security Mon Jul 26 10:30:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 7871214D96 for ; Mon, 26 Jul 1999 10:30:15 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id LAA22927 for ; Mon, 26 Jul 1999 11:28:08 -0600 (MDT) Message-Id: <4.2.0.58.19990726112737.045f3770@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 26 Jul 1999 11:28:06 -0600 To: security@freebsd.org From: Brett Glass Subject: This from Bugtraq this weekend.... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Approved-By: aleph1@SECURITYFOCUS.COM >Delivered-To: BUGTRAQ@SECURITYFOCUS.COM >Date: Sat, 24 Jul 1999 01:26:28 +0000 >Reply-To: Scott >Sender: Bugtraq List >From: Scott >Subject: Re: Linux +ipchains+ ping -R >X-To: Andrej Todosic >X-cc: BUGTRAQ@SECURITYFOCUS.COM >To: BUGTRAQ@SECURITYFOCUS.COM > >About 2 weeks ago someone made me aware of a similar bug in FreeBSD >with natd/ipfw. I tested it on my own computer (FreeBSD 3.2-STABLE) and >the result was an immediate result reboot without any logging. > >This firewall rule fixes the problem on my FreeBSD box. Adjust it >accordingly for the logging options, etc. Make sure its the 1st rule >listed. > > >deny log ip from any to any ipopt rr > > >-Scott > >On Thu, 22 Jul 1999, Andrej Todosic wrote: > > > Hello , > > > > i am not quite sure if this has been discussed or if htere is a fix already > > but i d still like to mention it. > > > > linux firewall setup 2.2.5 or 2.2.10 and ipchains + Nat + advanced router > > > > > > if you are less than nine hops away from it ping -R and ( assuming the fw > > lets the packets go through ) you get a kernel panic . > > > > > > You cant go wrong . i tried it on more than one firewall and more than one > > kernel. > > > > > > PS if you are testing it do make sure you are not going through the fw for a > > connection ( which how i screwed myself up and left the ping -R in the > > background ) > > > > > > > > > > Andrej > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message