[lug] RH 7.x word of caution

Kevin Fenzi kevin at ashara.scrye.com
Wed Jun 6 14:49:16 MDT 2001


>>>>> "Hugh" == Hugh Brown <hugh at vecna.com> writes:

Hugh> Good to know.  

yeah, looks like the redhat 'ipchains' init.d entry doesn't check the
return status of ipchains. You guys might want to file a bug in the
redhat bugzilla on that one... 

Hugh> Last I heard was that iptables had some major
Hugh> security problems that made it ineffective.  Is that still the
Hugh> case?  If so, what alternatives do people have if they are
Hugh> running linux 2.4?

no. It was the case for a pretty short time under some
circumstances. Basically if you were allowing incoming ftp connections
and using a "related" rule, people could trick things into bypassing
your firewall. It was a fixed in 2.4.4 and beyond. There was also a
patch out pretty quick. ;)

for more info, take a look at:
http://netfilter.samba.org/security-fix/index.html 

I am using netfilter on my firewall just fine. It's much nicer than
ipchains and seems to work well. 

Hugh> Hugh

kevin
-- 
Kevin Fenzi
MTS, tummy.com, ltd.
http://www.tummy.com/  KRUD - Kevin's Red Hat Uber Distribution



More information about the LUG mailing list