From owner-freebsd-security Fri Jan 26 11:24:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 409D737B400 for ; Fri, 26 Jan 2001 11:24:32 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0QJRqC82601; Fri, 26 Jan 2001 11:27:52 -0800 (PST) (envelope-from kris) Date: Fri, 26 Jan 2001 11:27:52 -0800 From: Kris Kennaway To: Martin Ibert Cc: freebsd-security@FreeBSD.ORG Subject: Re: Another problem with the ipfw patch - even bigger hole in the firewall on 4.0R (was: Re: ipfw security patch problem..) Message-ID: <20010126112752.D75150@citusc17.usc.edu> References: <5.0.0.25.1.20010126173443.02d9e1e8@pop3.itp.asdis.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="0vzXIDBeUiKkjNJl" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.0.25.1.20010126173443.02d9e1e8@pop3.itp.asdis.de>; from mib@asdis.de on Fri, Jan 26, 2001 at 05:36:33PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 26, 2001 at 05:36:33PM +0100, Martin Ibert wrote: > We also tried to patch a 4.0-RELEASE system. We worked according to the= =20 > step-by-step instructions provided in the advisory. Some patches were=20 > rejected and had to be done by hand, but apart from that, no major proble= ms=20 > were discovered during build and install. >=20 > However, the resulting combination of kernel and ipfw tool did not work! = It=20 > appears that the firewall took EVERY tcp packet to be part of an=20 > "establised" connection and happily past setup packets in and out. I didn't test the patches on 4.0 since that isn't a supported release..there have been quite a few other changes to ipfw since 4.0, so chances are there are other things that need to be patched. Upgrading to 4.2 will be your best bet for this and future advisories. Kris -- NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --0vzXIDBeUiKkjNJl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cc+3Wry0BWjoQKURAomoAKC9nZMz8RDL65rDaTwquIMBInRGZQCgoi2h DVRo7ikptL6K+XRwTjtajo4= =P4N9 -----END PGP SIGNATURE----- --0vzXIDBeUiKkjNJl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message