OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: 2.8 ipfilter traceroute broken?
From: Nick Holland (nickholland-consulting.net)
Date: Sun Dec 17 2000 - 16:52:18 CST

Correct me if I'm wrong here...

The IPF code that is in OpenBSD doesn't follow the latest version of
IPF due to the auditing and cleanup that is part of OpenBSD (and I'm
very satisfied about this!), so wouldn't there be some security issues
to implementing a non-audited version of ipf?

For *my* uses (or more accurately, my client's uses) (and I speak ONLY
for myself on this, of course), I'll take a broken traceroute over an
insecure -- or uncertainly secure -- ipf! Most of my clients couldn't
even spell traceroute, much less care if it worked on their
workstations behind the firewall.

However... I've been half-following this thread, and while I've seen
the recommendation to upgrade to 3.3.20 to address this problem, I
haven't seen an official OpenBSD project position on this (or maybe I
have, and didn't recognize it! 8-).

Is 3.3.18 "it" for the duration of 2.8?
Is there going to be a -STABLE upgrade to 3.3.20 when ready?
Is there an official upgrade procedure?

I think I'd be content with whatever the answers are, just kinda like
to know the answers. 8)

Nick.

Rémi Guyomarch wrote:
>
> On Sun, Dec 17, 2000 at 02:32:19PM -0400, _azure wrote:
> > You'll need to upgrade IPFilter to a => 3.4 version.
>
> No. 3.3.20 fixed this problem.
> It's way easier to upgrade the integrated ipfilter from 3.3.18 to 3.3.20
> than to 3.4.15.
> 

-- 
http://www.holland-consulting.net/