[101] in linux-net channel archive
Re: Using Linux for a firewall.
daemon@ATHENA.MIT.EDU (Michael H. Warfield)
Fri Feb 24 15:21:06 1995
To: firewalls@greatecircle.com, linux-net@vger.rutgers.edu
Date: Fri, 24 Feb 1995 13:15:06 -0500 (EST)
From: "Michael H. Warfield" <mhw@wittsend.atl.ga.us>
In-Reply-To: <199502241529.HAA11867@miles.greatcircle.com> from "Darren Reed" at Feb 25, 95 02:27:14 am
> > >If the code I'm reading, 1.1.88, is actually what is in use, then Linux
> > >should be LAST on your list of operating systems to use for a firewall,
> > >ipfw or no. It would be trivial for a "bad" IP packet to cause a Linux
> > >kernel numerous problems. All sorts of things are done in the wrong
> > >order (assuming BSD is more correct) and various sanity checks on incoming
> > >packets are not performed. This is just from reading their code in the
> > >last 5 mins, with NetBSD in another window on the right, and comparing
> > >the two, seeing what does and doesn't get done. That or the BSD code is
> > >more paranoid about what it does and trusts, which isn't an altogether
> > >bad thing.
> > Could you be more specific about your comments above? Yes, I am interested
> > in using Linux as a firewall, but hadn't begun to look at the actual
> > firewall code. You're analysis could save me time.
> For starters, there seem to be too few checks about the size of the packet,
> the size it claims to be and and the size of the packet header in comparison
> to both of these. Either that or it checks packet header sanity twice and
> in another place I can't find. From observation, a carefully crafted IP
> packet could crash your linux machine.
Ok... Has this been ask of the Linux developers over on the
network list (linux-net@vger.rutgers.edu)? I would like to hear there
response. I'm going to copy them in on this discussion at this point.
> Then when you get to the IP firewall code, it doesn't bother checking the
> access lists for anything going to 127.0.0.1, regardless of where it has
> come from.
> That from 1.1.94, * Version: @(#)ip.c 1.0.16b 9/1/93.
> (Just got it from tsx.mit.edu).
Ok but do you have the MANDATORY firewall patches? They are on
sunsite.unc.edu in /pub/Linux/system/Network/sunacm/NetTools. File
is "mandatory-ipfw-diffs". These are required for the firewall
management utilities in net-tools-1.1.93.tar.gz in the same directory.
> darren
--
Michael H. Warfield | (404) 925-8248 | mhw@WittsEnd.com
(The Mad Wizard) | NIC whois: MHW9 | mathcs.emory.edu!wittsend!mhw
An optimist believes we live in the best of all possible worlds.
A pessimist is sure of it! | http://www.wittsend.com/mhw/
