From owner-freebsd-security@FreeBSD.ORG  Mon Oct 27 18:05:58 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 50D0A16A4CE
	for <security@freebsd.org>; Mon, 27 Oct 2003 18:05:58 -0800 (PST)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 97BFA43F93
	for <security@freebsd.org>; Mon, 27 Oct 2003 18:05:56 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id TAA06678;
	Mon, 27 Oct 2003 19:05:39 -0700 (MST)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.0.0.22.2.20031027190409.04ada3f0@localhost>
X-Sender: brett@localhost (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Mon, 27 Oct 2003 19:05:38 -0700
To: peter.lai@uconn.edu
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20031027192235.GG6460@cowbert.2y.net>
References: <200310270731.AAA23485@lariat.org>
 <20031027080240.GA9552@rot13.obsecurity.org>
 <20031027110203.B96390@trillian.santala.org>
 <20031027093435.GA6111@rot13.obsecurity.org>
 <6.0.0.22.2.20031027061227.03a6be78@localhost>
 <20031027192235.GG6460@cowbert.2y.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
cc: security@freebsd.org
cc: Kris Kennaway <kris@obsecurity.org>
Subject: Re: Best way to filter "Nachi pings"?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2003 02:05:58 -0000

At 12:22 PM 10/27/2003, Peter C. Lai wrote:
  
>Similarly, is there a reason that you wouldn't be able to use the less robust
>ipfw2 on your release (since I assume you'd be using it purely for its iplen
>capabilities)? 

Look at some of the latest notes in the CVS database. They mention
use-after-free problems, security holes (unprivileged users can
manipulate the firewall), and other things you just wouldn't want
on a production system. The good news is that they scoured the code
quite thoroughly, and it seems to be solid now.

--Brett