Date: Fri, 06 Apr 2001 14:38:20 -0400 From: Matt Haught <haught12@marshall.edu> To: freebsd-stable@freebsd.org Subject: IP Filter =?iso-8859-1?q?3.4.17=3F?= Message-ID: <01K22ZNJBR3K8Y5DVZ@marshall.edu>
next in thread | raw e-mail | index | archive | help
Is it too late to update ipfilter in -STABLE? 3.4.16 seems to have a serious bug. Darren just sent out this to the ipfilter mailling list: -----snip---- A *VERY* serious bug has been brought to my attention in IPFilter. In 10 words or less, fragment caching with can let through "any" packet. Ok, so that's 8. Cause ===== When matching a fragment, only srcip, dstip and IP ID# are checked and the fragment cache is checked *before* any rules are checked. It does not even need to be a fragment. Even if you block all fragments with a rule, fragment cache entries can be created by packets that match state information currently held. ------snip---- -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01K22ZNJBR3K8Y5DVZ>