|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Manuel Bouyer (bouyer
ANTIOCHE.LIP6.FR)Date: Mon Apr 09 2001 - 03:30:28 CDT
Hi,
On Mon, Apr 09, 2001 at 12:16:14AM +0200, Thomas Lopatic wrote:
> [...]
>
> Details
> -------
>
> When IP Filter evaluates the rule-base for an IP fragment and decides
> whether to pass it or block it, this decision is saved in a "decision
> cache" together with the fragment's IP ID, protocol number, source
> address and destination address fields.
Looking at the ipf code (3.4.9, the one inclued in NetBSD 1.5), it looks
like an entry is added to the decision cache only if the packet
matches a rule with 'keep state' or 'keep frags'. So a ruleset without
any 'keep state'/'keep frags' should not be vulnerable.
Or did I miss something ?
-- Manuel Bouyer <bouyer
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]