On 06/05/2011 10:33 PM, Josh Lehan wrote: > On 06/05/2011 11:33 AM, Tom Eastep wrote: ploit are: >> >> The details have not yet been made public. > > Perhaps you can spare one detail. By "hosts", do you mean: local hosts, > or, remote hosts?
Provided that you use NAT, 'hosts' means local hosts. And the 'holes' that can be created are only to internal hosts with very specific charactristics. > > If local hosts, the impact is minor, it would basically be equivalent to > UPnP (which is already running intentionally on many home networks). > The vast majority of home networks are not vulnerable because of my point above. > If remote hosts, then it's a huge hole! I'm *really* hoping it's not > remote hosts. > > It's understandable that such an exploit would not be public yet. Is > there a CVE number for it yet? I don't see one. The research is being made public tomorrow when there should be a lot more information available. > > Is the exploit fixed in the latest kernel? No -- I am of the opinion that the problem must be addressed by firewall/IP configuration and not in the kernel. > I'm wondering if upgrading > to 3.0.0 would have the fix in it or not? (I'm guessing this isn't > public either, because if vulnerable/invulnerable version numbers were > announced, then somebody could just diff the kernel sources between > them, and learn the exact details of the exploit.) BUT REMEMBER -- there is a simple defense; just specify 'routefilter' on all of your IPv4 interfaces and you are perfectly safe. It is only IPv6 users and users whose external interface is a bridge that need this new Shorewall/Shorewall6 feature. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
