From owner-freebsd-security Fri Jan 26 8:36:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from flint.asdis.com (flint.asdis.com [212.222.145.99]) by hub.freebsd.org (Postfix) with ESMTP id CCAA137B401 for ; Fri, 26 Jan 2001 08:36:36 -0800 (PST) Received: from sarek.itp.asdis.de ([10.63.192.115] helo=asdis.de) by flint.asdis.com with esmtp (Exim 3.13 #1) id 14MBrX-000CFK-00 for freebsd-security@freebsd.org; Fri, 26 Jan 2001 17:36:35 +0100 Received: by asdis.de (Smail-3.2.0.102asdis 1998-Aug-2 #7) id ; Fri, 26 Jan 2001 17:36:34 +0100 (CET) Message-Id: <5.0.0.25.1.20010126173443.02d9e1e8@pop3.itp.asdis.de> X-Sender: mib@pop3.itp.asdis.de X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Fri, 26 Jan 2001 17:36:33 +0100 To: freebsd-security@freebsd.org From: Martin Ibert Subject: Another problem with the ipfw patch - even bigger hole in the firewall on 4.0R (was: Re: ipfw security patch problem..) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Sorry Justin! I forgot to Cc: the list when I replied to your mail, so you= =20 now have it twice. :-( ] At 08:00 26.01.2001 +0200, you wrote: >I upgraded my ipfw yesterday on my 4.0-STABLE system with the patch by >following the instructions to the letter for the security bug discovered >by Aragon Gouveia, and compile and install appeared to go seamlessly. We also tried to patch a 4.0-RELEASE system. We worked according to the=20 step-by-step instructions provided in the advisory. Some patches were=20 rejected and had to be done by hand, but apart from that, no major problems= =20 were discovered during build and install. However, the resulting combination of kernel and ipfw tool did not work! It= =20 appears that the firewall took EVERY tcp packet to be part of an=20 "establised" connection and happily past setup packets in and out. We quickly retraced our steps and reverted the system to its pre-patched= state. Did anyone experience the same problems as we did? And does anyone have a=20 solution (short of upgrading to 4.2-RELEASE or better?) --=20 --------------------------------------------------------------- Dipl.-Inform. Martin Ibert - phone: +49-30-20631-607, fax: -199 - ASDIS Software AG, Neue Gr=FCnstra=DFe 25, D-10179 Berlin-Mitte - ---------------- http://www.asdis.de/ -- mailto:mib@asdis.de -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message