Florian Weimer wrote:
> * Martin Schulze:
>
> > What was the behaviour pre-sarge?
> > What is the behaviour post-sarge (or rather in sarge)?
>
> Do you mean "before and after the upstream security update"? The
> terms pre-sarge/post-sarge do not make much sense to me in this
> context, I'm afraid.
Ok, so when did the behaviour change?
Which behaviour is documented and hence expected?
Which behaviour is experienced by potentially buggy code?
> > What do you think is the vulnerability?
>
> The vulnerability is that the firewall fails to enforce the security
> policy the user has configured.
That'd be a bug we should fix.
> > Why do you think there should be a DSA and what should
> > it cover?
>
> Here's a draft, in case you want to upload a fixed package.
Thanks a lot, but I still have questions...
> (Note that I have yet to test Lorenzo's new package.)
Are you in a position to do so?
> Supernaut noticed that shorewall could generate an iptables
> configuration which is significantly more permissive than the rule set
> given in the shorewall configuration.
> There are two issues, both related to the MAC verification configured
> in the "maclist" file. When MACLIST_DISPOSITION is set to ACCEPT in
> the shorewall.conf file, all packets from hosts which fail the MAC
> verification pass through the firewall, without further checks.
Is this expected or based on the documentation? Or is the opposite
documented?
> When
> MACLIST_TTL is set to a non-zero value, packets from hosts which pass
> the MAC verification pass through the firewall, again without further
> checks.
Is this expected or based on the documentation? Or is the opposite
documented?
Regards,
Joey
--
Long noun chains don't automatically imply security. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
