Date: Wed, 9 Aug 2000 01:06:54 +1000 (EST) From: Darren Reed <darrenr@reed.wattle.id.au> To: security@freebsd.org Subject: IP Filter 3.4.9/3.3.18 (fwd) Message-ID: <200008081506.BAA21009@avalon.reed.wattle.id.au>
next in thread | raw e-mail | index | archive | help
I'll look at importing this on the weekend. Any sooner and I don't have time to not do a rush job. Darren > ----- Forwarded message from Darren Reed ----- > > From owner-ipfilter@cairo.anu.edu.au Wed Aug 9 0:20:00 2000 > X-Authentication-Warning: cairo.anu.edu.au: majordomo set sender to owner-ipfilter@coombs.anu.edu.au using -f > From: Darren Reed <darrenr@reed.wattle.id.au> > Message-Id: <200008081409.AAA20852@avalon.reed.wattle.id.au> > Subject: IP Filter 3.4.9/3.3.18 (fwd) > To: ipfilter@coombs.anu.edu.au > Date: Wed, 9 Aug 2000 00:09:06 +1000 (EST) > X-Mailer: ELM [version 2.4ME+ PL37 (25)] > Sender: owner-ipfilter@coombs.anu.edu.au > > My apologies for the "lockup", but at the last moment I realised > that similar code paths were used in NAT and state and had to fix > a similar ICMP handling but in NAT. I *really* didn't want to > have to make a new version# just for that. Everything should > now be accessible... > > Darren > > > Ok, now I'm relaxed...and the niggles should be ironed out. > > > > 3.4.9/3.3.18 fix up existing problems with the FTP proxy in > > prior versions. The reason it took so long to iron out the > > problem with 3.4.8 is due to a dodgy interface which will be > > addressed for 4.0 (currently exists there too :-/). > > > > The 'global' fr_chksrc can now be 0 (disable checking of > > spoofed source address packets), 1 (enabled) or 2 (log the > > packets which it detects as having spoofed source IP#'s). > > This check is done using the routing table. For FreeBSD 4, > > the sysctl will now show up (I'll merge this into -current > > over the weekend when I'm not in a hurry). > > > > Most of the other changes have been "spurious" except for > > one - the handling of ICMP packets for known state. > > This bug crept in with fr_checkicmpmatchingstate() and has > > been made mention of to me without any real pointers until > > the weekend (which is the impetus for these). That is now > > plugged and all should be well there. If you feel nervous > > about uprading then dig through the patch files for the > > changes to ip_state.c (blocking packets won't help because > > state check happens before that...mmm, having the source.. > > but that'll change soon too, in 4.0alpha O:-). > > > > I will be updating 4.0alpha later... > > > > Darren > > > > ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.4.9.tar.gz > > ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.4.9.gz > > ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.18.tar.gz > > ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.3.18.gz > > > > -------------------------------------------------------------------- > > 3.4.9 08/08/2000 - Released > > > > implement new aging mechanism in fr_tcp_age() > > > > fix icmp state checking bug > > > > revamp buildsunos script and build both sparcv7/sparcv9 for Solaris > > if on an Ultra with a 64bit system & compiler (Caseper Dik) > > > > open ipfilter device read only if we know we can > > > > print out better information for ICMP packets in ipmon > > > > move checking for source spoofed packets to a point where we can generate > > logs of them > > > > return EFAULT from ircopyptr/iwcopyptr > > > > don't do ioctl(SIOCGETFS) for auth stats > > > > fix up freeing mbufs for post-4.3BSD > > > > fix returning of inc from ftp proxy > > > > fix bugs with ipfs -R/-W (Caseper Dik) > > > > 3.4.8 19/07/2000 - Released > > -------------------------------------------------------------------- > > 3.3.18 08/08/2000 - Released > > > > fix up command checking in the ftp proxy > > > > fix getting the version from the kernel for solaris > > > > fix icmp state checking bug > > > > print out better information for ICMP packets in ipmon > > > > open ipfilter device read only if we know we can > > > > 3.3.17 08/07/2000 - Released > > -------------------------------------------------------------------- > > > > ----- End of forwarded message from Darren Reed ----- > > ----- End of forwarded message from Darren Reed ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008081506.BAA21009>