|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Thomas Lopatic (thomas
LOPATIC.DE)Date: Mon Apr 09 2001 - 07:12:22 CDT
Hi there,
>Looking at the ipf code (3.4.9, the one inclued in NetBSD 1.5), it looks
>like an entry is added to the decision cache only if the packet
>matches a rule with 'keep state' or 'keep frags'. So a ruleset without
>any 'keep state'/'keep frags' should not be vulnerable.
>Or did I miss something ?
For the packet filtering code you are perfectly right. The advisory should
have said so. Still, the NAT code seems to also add entries to the decision
cache. Unfortunately I do not currently have the time to take a closer look
at the NAT code, so I do not know about the implications of this for packet
filtering.
If you find anything interesting in there let us know. :-)
-Thomas
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]