As late as Kernel 2.4.3, there has been some security bugs found
in the Netfilter code. While the code has been available for almost
a year, it is only now that Netfilter is being checked seriously
for problems. Expect more updates in the next kernel releases.
Personally, right now, I would still run the old 2.2.x kernels
for stability/security reasons for machines connected on the Internet.
http://lwn.net/2001/0419/security.php3
"Linux Kernel 2.4 Netfilter/IPTables vulnerability. Under
Linux 2.4, IPTables is used for building firewalls. It is implemented
under the NetFilter framework, a raw framework for filtering and
mangling packets. A vulnerability has been reported in the manner
that the RELATED state is implemented which can be exploited to
potentially bypass a firewall and access ports that are assumed to
be protected. "
"The NetFilter team has provided a patch for Linux 2.4.3. Note
that the patch may be subject to future revision; a URL is provided
where the latest version can be found. Presumably the patch, or its
future incarnation, will be provided in an upcoming version of 2.4.
Meanwhile, the original posting provides details that network
engineers will want to examine to improve and tighten the use of
the RELATED state."
Ambo
[EMAIL PROTECTED] wrote:
>
> is anybody already deploying their firewalls based on netfilter/iptables?
> anyone planning to migrate from ipchains to netfilter?
>
> any compelling reasons to do so, aside from stateful inspection?
> any compelling reason NOT to do so?
>
> anyone want to share their horror stories on this?
>
> -marlon
> _
> Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
>
> To subscribe to the Linux Newbies' List: send "subscribe" in the body to
>[EMAIL PROTECTED]
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
