> -----Original Message-----
> From: Steven Peck [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 19, 2001 11:11 PM
> To: '[EMAIL PROTECTED] '
> Subject: [Leaf-devel] 2.4 iptables exploit
>
>
> http://www.tempest.com.br/advisories/01-2001.html
> indicates a 2.4 kernel iptables exploit involving ftp passing
> through. They
> also provide a patch for the exploit and a very good explanation.
>
> As long as you trust your internal users(!!?) and your ftp server is
> uncompromised, you can ignore this.... :)
>
should we?
the problem with ftp_conntrack, is that when the port command is issued the
port you chose to use, will be a related connection, thus allowed.
so if one client ftp's to my internet ftp server (external), and I need an
open port to some service that iptables does not allow remote connections on
(the firewall), I issue the port command and in stead of choosing port 20
I'll use port 22, 23... whatever, this connection will be accepted
this is an exploitable bug, that can be minimized if the ftp-data filters
are created with some thinking (maybe not! ;). I think that disallowing
related connections to all but the 20 port, might work, but in exchange to
some lost functionality.
if this scenario was a port forwarded ftp server, full of services that
admins think not available, things would worse!
MHO,
pedro
> -sp
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Sent: 4/19/2001 1:54 PM
> Subject: Re: Off-list Re: [Leaf-devel] Updating Eigerstein
>
> Hello Ewald, Charles
> > > >> Is anyone working on this already? If not I will have a start
> this
> > > >> weekend, or perhaps when I return from work tonight. If you
> prefer
> > > >> someone else's work please tell me so; it will save me some
> superfluous
> > > >> work.
> > > >
> yep, sort of.
>
> I am implementing the eigerstein on the 2.4.3 kernel from george.
> It just seems to change quite a lot.
> I am using Busybox 0.50 for now. as I had problems compiling the
> 0.51 with insmod. (see previous posts)
> Updated the ash. ( oxygen)
> Am working on the weblet.
> But changing to 2.4 and updating to iptables means also changes
> in portforwarding and masquerading.
> I now have working ( not properly tested image with shorewall)
> I am working on a basic ip-addres setup kind of the way lrp does it.
> The rest of the system will be setup with a webinterface (sort of
> prealpha stage ;) at the moment.
> Allthough this kind of changes would mean a rather radical change
> away from eigerstein. :( So perhaps it would be the best to stay
> with ipchains. and only update a few programms (busybox etc).
>
>
> > > >
> > > > I haven't seen any progress reports, or been asked any
> questions...the
> As said , i am still in a very pre-alpha stage, and don't know if I
> come further.
> > best
> > > > I can tell you for sure is that I'm not working on this
> (just too
> busy).
> > > >
> > > > Feel free to do whatever work you have time for, and just ask if
> you
> > have
> > > > any questions or need anything from me.
> > > >
> > > Allright! I'll see what I can do this weekend. As I have
> a part-time
> > > job, no wife and no children I'm not as busy as both of you. Of
> course I
> > > will keep a full log of the changes that I make for you to comment
> on.
> > > One of the bigger changes I propose is replacing ae with e3 or the
> > > busybox vi applet. That will make it a lot easier to throw out
> ncurses
> The busybox vi applet functions very well :) tried this.
> >
> I
> > > a "whopping" 119 kb).
> > >
> > > If you have the time it would be nice if you could make sh-httpd
> > > compatible with the newer ash from oxygen. I can view webpages but
> cgi
> > > is broken. The weblet cgi-scripts do work when executed from the
> > > commandline.
> I don't have a running Oxygen available at the moment, but as the
> sh-httpd. is a shell script it shouldn't matter.
> I use the Oxygen ash script and after the following changes to sh-
> httpd (thanks to charles) it is running very fine ! So this
> should run
> on Oxygen also.
> the "`jobs`" seems not to function.
>
> in routine do-cgi()
> Change the following part of code
> ---------------------------
> esac
> $LOCALURL "$@" > $OUTPUT &
> CNT=1
> while [ -n "`jobs`" ] ; do
> sleep 1
> -------------------------------- in
> esac
> CGI_PID="$!"
> CNT=1
> while [ -e "/proc/$CGI_PID ]; do
> sleep 1
> --------------------------------
>
> in clear text
> wait as long as there is a pid from the last started cgi
> script ( which
> means it is still running) until this is finished or until a timeout
> occurs.
> The timeout is triggered by increasing CNT with each loop.
> --------------------------------------------------------------
> ----------
> ---
>
> > I added updating sh-httpd to work under Oxygen as a task
> (assigned to
> me).
> > I'll try to get this done in the near term, before I go out of town
> again.
> I hope this is solved hereby :)
> >
> > I guess this means I'm going to finally have to get an Oxygen system
> up &
> > running...should be fun.
> >
> don't let my answer prevent this :)
>
> > Any particular version(s) of Oxygen I need to be working with, or
> should I
> > just grab the latest?
> >
> > Charles Steinkuehler
> > http://lrp.steinkuehler.net
> > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
> >
> Greetings to all of you.
> Ook ewald de groeten :)
>
>
> Eric Wolzak
> http://leaf.sourceforge.net/devel/ericw
>
>
> _______________________________________________
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
>
> _______________________________________________
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
>
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
