Re: Firewall-troubleshooting

Daniel Pittman wrote: > ... >>>Finally, that is a pretty complex firewall script, and obviously >>>somewhat hard to maintain. Maybe you would get better value for your >>>time by using an existing firewall helper like 'firehol', or something, >>>than re-doing the work that went into the existing t

Re: Firewall-troubleshooting

Daniel Pittman wrote: > ... > Shorewall, like many firewall packages, gives you[1] a whole bunch of > configuration options, which turn on or off features in the pre-packaged > firewall you have. > > This tends to make it hard to do strange things like playing with DSCP > tagging of packets, or de

Re: Firewall-troubleshooting

Daniel Pittman wrote: > ... >>Am i right in understanding that you consider accepting >>RELATED/ESTABLISHED packets a bad thing? > > > No. Accepting *any* RELATED/ESTABLISHED packets is, though, if someone > finds an attack to generate entries in the conntrack table. Like, say, > the active FTP

Re: Firewall-troubleshooting

Michael Stone wrote: > On Mon, Jul 04, 2005 at 07:45:47PM +1000, Paul Gear wrote: > >> I mustn't be understanding you here. Isn't the very definition of >> RELATED/ESTABLISHED that the packet is part of an established connection >> to a service actually used? &

Re: Firewall-troubleshooting

Daniel Pittman wrote: > ... >>So, probably, the best way to go is allowing the R/E packets alongside their >>"new state" counterparts. It also clarifies where the packets are accepted >>and WHY. Also, "iptables -v" should be a lot more useful than before. > > > That was my point, basically. Than

Re: Light weight IDSes and then some

George P Boutwell wrote: > ... >>>1) What are some projects/software for light IDS, specifically file >>>checksome/change control. I plan on doing the MD5 checksum floppy as >>>described in the Secuirng How-To, but then I want an software that >>>does that and e-mails my admin user whenever checks

Re: On Mozilla-* updates

David Ehle wrote: > ... > What I don't want to > see is this discussion drag on eternally on > woe-is-me-they-wont-play-like-i-like-i-hate-change fashion, It's too late for that... ;-) -- Paul -- Did you know? Most email-borne viruses use a false sender address, s

Re: policy change is needed to keep debian secure

Daniel Sterling wrote: > Keeping Debian stable by not changing things is great. > > Except maybe its not so great when you're trying to maintain a complicated, > buggy, high profile program that handles sensitive user data and untrusted > input. > > Debian stable cannot stay stable without chang

Re: policy change is needed to keep debian secure

(This turned into a saga - so here's the executive summary: let's let the security team do their job and find us a secure version. Talk about removing Firefox and/or definitely ruling out upgrading to a newer version is unhelpful in solving the problem.) Neil McGovern wrote: > On Sat, Aug 20, 20

Status of Mozilla fixes (was Re: policy change is needed to keep debian secure)

Paul Gear wrote: > (This turned into a saga - so here's the executive summary: let's let > the security team do their job and find us a secure version. Talk about > removing Firefox and/or definitely ruling out upgrading to a newer > version is unhelpful in solving the pro

Re: policy change is needed to keep debian secure

Matt Zimmerman wrote: > ... > People request new versions in > stable all the time for little reason more than the fact that they have > higher version numbers. I get harrassed by upstreams for not pushing their > releases into stable, telling me that backporting is stupid and I should > trust the

Re: Security fixes for mozilla and firefox in Sarge?

Sam Morris wrote: > Florian Weimer wrote: > >> I'm not sure if there will be uploads of new Firefox (or Mozilla) >> version to the volatile distribution. A first step is building a new >> Firefox package on sarge, and I'm not aware of anyone doing this. > > > I'm attaching a diff against mozill

Re: Bad press again...

Alvin Oga wrote: > > On Sun, 28 Aug 2005, Florian Weimer wrote: > > >>AFAIK, you can only blame the security team for lack of communication. > > > nah ... they're doing fine .. to the extent is needed ?? > > if it's important... they will post dsa ?? There certainly have been exceptions to t

Re: Bad press again...

Goswin von Brederlow wrote: > ... >>There certainly have been exceptions to that rule. The maintainer of >>shorewall has been trying for weeks to get a DSA issued about a >>vulnerability, and it seems we have to convince Joey that it *is* a >>vulnerability before he'll issue it. (I don't understa

Re: Bad press again...

Alvin Oga wrote: > ... >>shorewall has been trying for weeks to get a DSA issued about a >>vulnerability, and it seems we have to convince Joey that it *is* a >>vulnerability before he'll issue it. (I don't understand this - how can >>Joey even *try* to understand every security bug?) Repeated at

Re: Bad press again...

Michael Stone wrote: > ... >> There certainly have been exceptions to that rule. The maintainer of >> shorewall has been trying for weeks to get a DSA issued about a >> vulnerability, and it seems we have to convince Joey that it *is* a >> vulnerability before he'll issue it. > ... > > I disagree

Re: Bad press again...

Florian Weimer wrote: > * Paul Gear: > > >>There certainly have been exceptions to that rule. The maintainer of >>shorewall has been trying for weeks to get a DSA issued about a >>vulnerability, and it seems we have to convince Joey that it *is* a >>vu

Re: Bad press again...

Florian Weimer wrote: > * Paul Gear: > > >>I don't know upon what you're basing your characterization, but i'm >>party to at least 3 emails to Joey describing the nature of the bug >>in sufficient detail to understand it as a security flaw. > > &

Re: Bad press again...

Michael Stone wrote: > ... > I also disagree with the characterization that much effort > has been put into describing the bug. If we're going to have another crack at it, then, what track should we take? Reopen the bug as Florian suggested, email the security team, just keep pestering Joey? I d

Re: Bad press again...

Florian Weimer wrote: > ... >>If we're going to have another crack at it, then, what track should we >>take? Reopen the bug as Florian suggested, > ... >>email the security team, just keep pestering Joey? > > > IMHO, the first step would be to convince the shorewall maintainer > that a security

Re: Bad press again...

Florian Weimer wrote: > ... > It seems that shorewall generates an ACL that ACCEPTs all traffic once > a MAC rule matches. Further rules are not considered. The > explanations in version 2.2.3 seem to indicate that this was the > intended behavior, but its implications surprised upstream, and a >

Re: Bad press again...

Florian Weimer wrote: > ... > # When a new connection arrives from a 'maclist' interface, the packet passes > # through then list of entries for that interface in /etc/shorewall/maclist. > If > # there is a match then the source IP address is added to the 'Recent' set for > # that interface. Subse

Re: Missing debsums and mismatches

Fredrik "Demonen" Vold wrote: > ... > I've just installed debsums and ran it to see if there were any oddness. > > Output of a silent run follows below the message. > > My question is: > Should I be alarmed about so many packages not having md5sums? Should you be alarmed? Yes. Is it unusual?