Is it too late to update ipfilter in -STABLE? 3.4.16 seems to have a
serious bug. Darren just sent out this to the ipfilter mailling list:
-----snip----
A *VERY* serious bug has been brought to my attention in IPFilter.
In 10 words or less, fragment caching with can let through "any"
packet.
Ok, so that's 8.
Cause
=====
When matching a fragment, only srcip, dstip and IP ID# are checked and
the fragment cache is checked *before* any rules are checked. It does
not even need to be a fragment. Even if you block all fragments with
a rule, fragment cache entries can be created by packets that match
state information currently held.
------snip----
-Matt
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
