[lug] openssl vulnerability

[John Hernandez]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

D. Stimits wrote:
| PS: I should switch to iptables instead of ipchains, if for no other
| reason than the --log-prefix. My system is entirely cut off from
| incoming, other than auth, so I don't see other advantages in iptables
| over ipchains just to block the world out...but good logging is hard to
| beat.

One advantage of iptables, if I understand it correctly, is that its
stateful inspection capability allows you to write a stronger ruleset
for doing exactly what you describe above.  With an ipchains ruleset
in place, an attacker might be able to, say, forge a TCP ACK packet by
mucking with headers and sneak it right past your firewall.  In
general, ipchains has no way of checking if a packet is part of a
previously established connection besides examining these flags.

Without stateful inspection, you potentially leave yourself open to
stealth scans and other gremlins.  This situation can be more
effectively controlled with iptables state modules, because it
considers the context of the packets (at least wrt layers 3-4), rather
than treating each of them as unrelated entities.

- --

~ |  John Hernandez - NOAA Boulder NOC - 303-497-6392
~ |  Mailstop R/OM62. 325 Broadway, Boulder, CO 80305
~ |  PGP Public Key ID: 586A7E23
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9+MphB1Kl6VhqfiMRApkFAJ439ghaP3O4CNhB8d/RaUPkY8EHSQCfT/OF
Fsr9vVDAsa3mMJFPlN7mSxQ=
=PP4e
-----END PGP SIGNATURE-----