Re: IPFilter 4.1.10
This is a discussion on Re: IPFilter 4.1.10 within the IPFilter forums, part of the System Security and Security Related category; Scott, I remember that I finally found pfil-2.1.7 by connecting to the following: ftp://coombs.anu.edu....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-14-2005
|
|||
|
|||
Re: IPFilter 4.1.10
Scott,
I remember that I finally found pfil-2.1.7 by connecting to the following: ftp://coombs.anu.edu.au/pub/net/ip-filter/ I just did this again and all I see there now besides the ipfilter versions is pfil-2.1.6.tar.gz and pfil-2.1.tar.gz. 2.1.7 is not there. Why not package pfil and ipfilter into the same tarball? BTW, I'll throw out that I had a production Solaris 10 box out of service for a few days, so I removed pfil 2.1.6 and ipfilter 4.1.8 and installed 2.1.7/4.1.10. I couldn't get the box to do much networkwise. It was real secure! :) I rolled back to 4.1.8 (leaving pfil 2.1.7) and it started acting right again. I know this is a vague complaint (4.1.9 would just hang the box, a Sun V210) but that is all I can report now. I had to get the V210 back into production. I'm installing Solaris 10 onto an old Ultra 5 for a test box, I hope to report more in a few days. Jeff Earickson Colby College On Wed, 14 Dec 2005, Scott Walker wrote: > Date: Wed, 14 Dec 2005 12:46:09 -0400 > From: Scott Walker <crimson@unspeakable.org> > To: Jeff A. Earickson <jaearick@colby.edu> > Subject: Re: IPFilter 4.1.10 > > Where did you manage to find it? > > Jeff A. Earickson wrote: >> Never mind, I found it... Could pfil be placed in the same >> directory as ipfilter please? >> >> On Thu, 8 Dec 2005, Jeff A. Earickson wrote: >> >>> Date: Thu, 8 Dec 2005 09:55:53 -0500 (EST) >>> From: Jeff A. Earickson <jaearick@colby.edu> >>> To: Darren Reed <darrenr@reed.wattle.id.au> >>> Cc: ipfilter@coombs.anu.edu.au >>> Subject: Re: IPFilter 4.1.10 >>> >>> Darren, >>> >>> Is there a new version of pfil? I remember a mention of pfil-2.1.7 >>> on the list a while back, but all I find on avalon is 2.1.6. Which >>> version of pfil should we use with 4.1.10? >>> >>> Jeff Earickson >>> Colby College >>> >>> On Thu, 8 Dec 2005, Darren Reed wrote: >>> >>>> Date: Thu, 8 Dec 2005 21:23:20 +1100 (EST) >>>> From: Darren Reed <darrenr@reed.wattle.id.au> >>>> To: ipfilter@coombs.anu.edu.au >>>> Subject: IPFilter 4.1.10 >>>> >>>> >>>> There are a couple of significant changes between 4.1.9 and 4.1.10. >>>> >>>> Firstly, after spending some time with gcov, I've taken steps to expand >>>> the number of lines of code that the test suite covers. I'll continue >>>> to work on expanding the coverage here until I'm satisfied that as much >>>> of the code can be tested with ipftest as possible. >>>> >>>> Next, there have been some problems on Solaris with sending TCP RST >>>> and ICMP packets back, causing panics due to bad use of locks. These >>>> problems have been licked. >>>> >>>> Lastly, I've spent some time closely analysing packet traces from >>>> situations where TCP out of window (OOW) packets have been resulting >>>> in RSTs being sent and the connections closed. As noted in an earlier >>>> email, there have been two contributors to this: window scaling being >>>> incorrectly turned off and bugs in Microsoft Windows XP/2000's TCP, >>>> especially SACK. My advice is that if you're having problems with >>>> "keep state" and TCP data transfers with Windows, disable SACK. To >>>> reduce the problem, RST packets are no longer sent if a packet is OOW, >>>> the offender will just be dropped. >>>> >>>> Of course there are other changes and bug fixes, including those >>>> posted to this list - see below for a bigger summary. >>>> >>>> http://coombs.anu.edu.au/~avalon/ip_fil4.1.10.tar.gz >>>> >>>> MD5 (ip_fil4.1.10.tar.gz) = 6d00cb091ba047738d2c14a23b3020ed >>>> MD5 (patch-4.1.10.gz) = b0bf95ffdbae2a3d877aadb214f68a97 >>>> >>>> Darren >>>> >>>> 4.1.10 - Released 6 December 2005 >>>> >>>> Expand regression testing to cover more features >>>> >>>> Add "coverage" build target for BSD >>>> >>>> Fix building 64bit sparc target for Solaris >>>> >>>> Add IPv6 mobility header to list of accepted keywords for V6 headers >>>> >>>> Resolve locking problems on Solaris when sending RST/icmp packets >>>> >>>> #ifdef's for IPFILTER_BPF need to check if words are defined before >>>> using them in comparisons >>>> >>>> Add checking for SACK permitted option in TCP SYN packets >>>> >>>> Fix loading anonymous pools from inline rule configuration groups >>>> >>>> Add -C command line option to ipftest >>>> >>>> Include extra "const" from NetBSD >>>> >>>> Don't require SIOCKSTLCK for SIOCSTPUT >>>> >>>> Fix some use of "sticky" on NAT rules >>>> >>>> Fix statistical counting of deleting state for TCP connections >>>> >>>> Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c >>>> >>>> Fix TCP out-of-window (OOW) problems: >>>> - window scaling turned off if one chose for its scale factor >>>> - Microsoft Windows TCP sends the "next packet" to the right of the >>>> window >>>> when using SACK and filling in a hole >>>> >>>> 4.1.9 - Released 13 August 2005 >>>> >>> > 
|
Linear Mode
