by mail.netbsd.org with SMTP; 8 Aug 2000 15:06:10 -0000
	by darren2.lnk.telstra.net (8.9.1/8.8.7) id PAA22306;
	Tue, 8 Aug 2000 15:06:07 GMT
From: Darren Reed <darrenr@reed.wattle.id.au>
Message-Id: <200008081505.BAA21001@avalon.reed.wattle.id.au>
Subject: IP Filter 3.4.9/3.3.18 (fwd)
To: tech-net@netbsd.org, tech-security@netbsd.org
Date: Wed, 9 Aug 2000 01:05:36 +1000 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

----- Forwarded message from Darren Reed -----

>From owner-ipfilter@cairo.anu.edu.au Wed Aug  9  0:20:00 2000
From: Darren Reed <darrenr@reed.wattle.id.au>
Message-Id: <200008081409.AAA20852@avalon.reed.wattle.id.au>
Subject: IP Filter 3.4.9/3.3.18 (fwd)
To: ipfilter@coombs.anu.edu.au
Date: Wed, 9 Aug 2000 00:09:06 +1000 (EST)

My apologies for the "lockup", but at the last moment I realised
that similar code paths were used in NAT and state and had to fix
a similar ICMP handling but in NAT.  I *really* didn't want to
have to make a new version# just for that.  Everything should
now be accessible...

Darren

> Ok, now I'm relaxed...and the niggles should be ironed out.
> 
> 3.4.9/3.3.18 fix up existing problems with the FTP proxy in
> prior versions.  The reason it took so long to iron out the
> problem with 3.4.8 is due to a dodgy interface which will be
> addressed for 4.0 (currently exists there too :-/).
> 
> The 'global' fr_chksrc can now be 0 (disable checking of
> spoofed source address packets), 1 (enabled) or 2 (log the
> packets which it detects as having spoofed source IP#'s).
> This check is done using the routing table.  For FreeBSD 4,
> the sysctl will now show up (I'll merge this into -current
> over the weekend when I'm not in a hurry).
> 
> Most of the other changes have been "spurious" except for
> one - the handling of ICMP packets for known state.
> This bug crept in with fr_checkicmpmatchingstate() and has
> been made mention of to me without any real pointers until
> the weekend (which is the impetus for these).  That is now
> plugged and all should be well there.  If you feel nervous
> about uprading then dig through the patch files for the
> changes to ip_state.c (blocking packets won't help because
> state check happens before that...mmm, having the source..
> but that'll change soon too, in 4.0alpha O:-).
> 
> I will be updating 4.0alpha later...
> 
> Darren
> 
> ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.4.9.tar.gz
> ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.4.9.gz
> ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.18.tar.gz
> ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.3.18.gz
> 
> --------------------------------------------------------------------
> 3.4.9   08/08/2000 - Released
> 
> implement new aging mechanism in fr_tcp_age()
> 
> fix icmp state checking bug
> 
> revamp buildsunos script and build both sparcv7/sparcv9 for Solaris
> if on an Ultra with a 64bit system & compiler (Caseper Dik)
> 
> open ipfilter device read only if we know we can
> 
> print out better information for ICMP packets in ipmon
> 
> move checking for source spoofed packets to a point where we can generate
> logs of them
> 
> return EFAULT from ircopyptr/iwcopyptr
> 
> don't do ioctl(SIOCGETFS) for auth stats
> 
> fix up freeing mbufs for post-4.3BSD
> 
> fix returning of inc from ftp proxy
> 
> fix bugs with ipfs -R/-W (Caseper Dik)
> 
> 3.4.8   19/07/2000 - Released
> --------------------------------------------------------------------
> 3.3.18  08/08/2000 - Released
> 
> fix up command checking in the ftp proxy
> 
> fix getting the version from the kernel for solaris
> 
> fix icmp state checking bug
> 
> print out better information for ICMP packets in ipmon
> 
> open ipfilter device read only if we know we can
> 
> 3.3.17  08/07/2000 - Released
> --------------------------------------------------------------------
> 
> ----- End of forwarded message from Darren Reed -----

----- End of forwarded message from Darren Reed -----