mailing list archives
Re: Linux 2.1.x Firewalling code broked
From: rct () MERKIN CSAP AF MIL (Bob Tracy - TDS)
Date: Fri, 15 May 1998 14:01:42 -0500
Darren Reed wrote:
----- Forwarded message from Bob Tracy - TDS -----
Subject: Linux 2.1.X ENskip fixed!
Date: Fri, 15 May 1998 09:07:39 -0500 (CDT)
It took a few days, but I found the problem. It turns out that the
IP firewall code in Linux 2.1.X has been broken for a long time,
probably since early in the 2.1.X networking development cycle.
Specifically, not all the paths between the IPv4 layer and the physical
layer are covered by the firewall code, and in particular, the path
taken by a SYN_ACK packet ( ip_build_and_send_pkt() ) is not covered.
"Broken" is too strong a word in the above context for the readers of
BUQTRAQ, which is why I didn't post the quoted message here :-(. I
defend the term as accurate, but decry the implied "The sky is falling!".
I personally consider the problem to be at worst an annoyance. Worst
case, only a *small* minority of outbound packets reach the physical
layer via the ip_build_and_send_pkt() function. In any event, the fix
is in, and should be available as part of one of the upcoming 2.1.X
distributions (maybe as early as 2.1.103: 2.1.102 was released hours
A gentle reminder to BUGTRAQ readers is in order: computer/network
security is a risk-management function. If folks are running development
code (kernel or otherwise) in a production environment, the risk should
be obvious. The non-obvious part is whether the risk is acceptable.
Bob Tracy | "Microsoft's biggest and most dangerous
Trident Data Systems | contribution to the software industry may
AFIWC/TIPER | be the degree to which it has lowered user
rct () merkin csap af mil | expectations." - Esther Schlindler