On Mon, Mar 20, 2000 at 02:30:10PM +0100, Bjarni R. Einarsson wrote:
> Hi all,
>
> Attached is a patch I created to address the "extended FTP ALG"
> vulnerability discussed on Bugtraq in the past few days (there's an URL in
> the patch comments). It prevents bogus (and legitimate) PORT commands from
> creating backward tunnels to ports below 1024, and to a (short) list of
> user-defined ports.
>
> I've tested the patch with Linux 2.2.13, with help from the ftpd-ozone
> program by Dug Song (http://www.monkey.org/~dugsong/ftpd-ozone.c.txt).
> People who want to test this themselves should take note that the port
> number reported by ftpd-ozone is one below the hole opened by ip_masq_ftp.
>
> I realize this patch isn't perfect, but it's probably better than nothing.
> Sorry for the waste of bandwidth if this has already been addressed.
Thanks for the patch (powerful open source, yeah!)...
Although "not perfect", it helps a lot by making a good policy for
the ports allocated.
Anyway something must be done to other ip_masq_xxx helper modules as well.
There's no possible connection track in 2.2 (go for 2.4+netfilter), but
we could constraint creation of back-tunnels to (eg.):
1) ms->state == IP_MASQ_S_ESTABLISHED
2) certain magic rate (hoping that this can be shaped per application
module).
1) is certainly fast doable, I'll make a patch ...
Juanjo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Mar 23 2000 - 21:00:30 EST