Date: Sat, 7 Apr 2001 00:21:29 -0400 From: "Dan Langille" <dan@langille.org> To: Matt Haught <haught12@marshall.edu> Cc: "stable@freebsd.org" <stable@FreeBSD.ORG> Subject: Re: IP Filter 3.4.17? Message-ID: <200104070421.f374Lge45348@ns1.unixathome.org> In-Reply-To: <01K22ZNJBR3K8Y5DVZ@marshall.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is the second time this has been asked today. Are we asking in the right place? On 6 Apr 2001, at 14:38, Matt Haught wrote: > Is it too late to update ipfilter in -STABLE? 3.4.16 seems to have a > serious bug. Darren just sent out this to the ipfilter mailling list: > > -----snip---- > A *VERY* serious bug has been brought to my attention in IPFilter. > > In 10 words or less, fragment caching with can let through "any" > packet. > Ok, so that's 8. > > Cause > ===== > When matching a fragment, only srcip, dstip and IP ID# are checked and > the fragment cache is checked *before* any rules are checked. It does > not even need to be a fragment. Even if you block all fragments with > a rule, fragment cache entries can be created by packets that match > state information currently held. > ------snip---- > > -Matt > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php got any work? I'm looking for some. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104070421.f374Lge45348>