Re: [SLUG] iptables

From: Douglas W Koobs (dkoobs@tampabaydsl.com)
Date: Sun Apr 29 2001 - 15:40:57 EDT


Thanks for the info. Actually, I'm running the 2.4.4 kernel, and not allowing FTP at
all. I am assuming that the 2.4.4 kernel will not need the patch? Thanks,

Doug

On Sunday 29 April 2001 14:12, you wrote:
> Sorry, I know this doesn't answer your questions (I have yet to set up
> iptables myself -- I am still using 2.2.19 until a fixed 2.4 version comes
> out) but you should definitely consider these when writing your iptables
> rules:
> http://www.tempest.com.br/advisories/01-2001.html (*ALL* 2.4-based Linux
> distros)
> http://www.redhat.com/support/errata/RHSA-2001-052.html (Redhat summary of
> the above - no fix yet)
> The implication of this advisory is that anyone with any ftp client can
> easily make your firewall (practically) useless, and it even provides a
> handy Perl script exploit for those script kiddies that are too stupid to
> use command-line ftp.
>
> Basically you want to either get the patch (for the 2.4.3 kernel) at
> http://netfilter.samba.org/security-fix/ and recompile and/or do NOT use
> the following common rule:
> iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
> To avoid the rather serious security issue listed in the above advisories,
> you have to be a lot more restrictive about the "RELATED" connections you
> allow (i.e. only to/from specific IPs, ports, etc.) if you don't have the
> patched kernel.
>
> Cheers,
> --Julian



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:58:41 EDT