Ben Nagy wrote:
> In my opnion, though, I'd still rather have a simple stateful filter. The
> extra overhead to do TCP and UDP state-matching is not that extreme and
> should not be all that hard to code. You throw away a line about bugs in
> current stateful filters, but it seems to me that they've all been based
> on
> application / control channel hackery - which is not strictly a part of a
> stateful _packet_ filter (FTP control channel bugs, the PIX mailguard oops
> etc). Has there been anything anyone has noticed that has been a "pure"
> state-keeping error?
>
There was an error in Linux ipchains that was noticed in March on Bugtraq
(3/28/2000) which allowed an outsider to modify the ipmasq table by sending
UDP packets to the ipmasq'ing gateway with the destination port set to the
source port it had used for an outgoing masqueraded UDP packet. The ipmasq
box would only check the destination port on incoming UDP packets to that
port and set its masquerading rulebase according to the information from
those packets.
Cheers,
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
