[20128] in bugtraq
Re: A fragmentation attack against IP Filter
daemon@ATHENA.MIT.EDU (Manuel Bouyer)
Tue Apr 10 11:31:10 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010410144801.A20072@antioche.lip6.fr>
Date: Tue, 10 Apr 2001 14:48:01 +0200
Reply-To: Manuel Bouyer <bouyer@ANTIOCHE.LIP6.FR>
From: Manuel Bouyer <bouyer@ANTIOCHE.LIP6.FR>
X-To: Thomas Lopatic <thomas@lopatic.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.2.20010409140226.00b444c8@lopatic.de>; from Thomas
Lopatic on Mon, Apr 09, 2001 at 02:12:22PM +0200
On Mon, Apr 09, 2001 at 02:12:22PM +0200, Thomas Lopatic wrote:
> [...]
> For the packet filtering code you are perfectly right. The advisory should
> have said so. Still, the NAT code seems to also add entries to the decision
> cache. Unfortunately I do not currently have the time to take a closer look
> at the NAT code, so I do not know about the implications of this for packet
> filtering.
>
> If you find anything interesting in there let us know. :-)
I has a closer look at this. It looks like entries are added to the desision
cache only for proxies:ip_ftp_pxy, ip_raudio_pxy, ip_rcmd_pxy. Basic NAT
shouldn't change the desision cache, but I very well may have missed
something :)
--
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr
--
