On Fri, 22 Aug 2003 11:05:37 -0700 Ken Goods <[EMAIL PROTECTED]> wrote:
> > Background: > I recently built a Linux bridge-firewall using a minimal (w/no GUI) RH 7.3 > install because there was a pre-compiled kernel that included the bridging > code. (kernel-2.4.18-10brnf0.0.7.i386.rpm) > > Everything is working great after two weeks of reading/learning (I'm an > windows programmer/admin). > > Now I see there is a security hole regarding the forward iptables chain > (CAN-2003-0552 - Jerry Kreuscher discovered that the Forwarding table could > be spoofed by sending forged packets with bogus source addresses the same as > the local host). > > I thought I'd eliminate security patching by not giving the interfaces any > addresses thereby limiting access to the box to only the physical terminal > and having it be "invisible" to the outside (and inside for that matter), > but this seems to circumvent that. The problem is on network receives so no access to the box directly is necessary. It would be only an issue if you were bridging and one of the networks was "hostile". Not if you are bridging between something that is protected by a router. > My questions are, and please remember you're talking to a newbie so be > gentle. :) > > Do I _need_ to apply the patched kernel? > > If so, > > 1. I haven't been able to find a clear explanation of what the various rpms > do, i.e. I know what the kernel and -source patches are, but what's the > purpose of the -BOOT, and _doc rpms and what do I do with them? I don't mind > reading and learning if someone could point me in the right direction. 2+ > days with google has only left me a little more confused. ask RHAT not here. > 2. I noticed that quota-3.06-9.7.i386.rpm (RH) must be installed prior to > patching the kernel, this seems to have something to do with hard disk > quotas. Why would this need to be installed first if I don't use it? ditto > 3. Will it require me to re-compile the kernel with the latest bridging > code? In other words, will it remove the existing bridging code? I though > you could update the kernel (-Uvh) to only apply the differences? Remove the original bridge patch (patch -R) and then apply the new one. > I think I can figure out how to re-compile the kernel if necessary.... > possibly. :) > > Thanks in advance for any and all help. > > Regards, > Ken > > Ken Goods > Network Administrator > MIS Dept. > AIA Insurance, Inc. > 111 Main Street > PO Box 538 > Lewiston, ID 83501 > Phone: 208-799-9023 > Websites: http://www.cropusainsurance.com > Email: [EMAIL PROTECTED] > _______________________________________________ > Bridge mailing list > [EMAIL PROTECTED] > http://www.math.leidenuniv.nl/mailman/listinfo/bridge _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
