[pptp-server] Problem with firewalling section in detailed instruction set

[Michael Walter]

It's gonna be one of those mornings, the previous message was in reference
to this message that I apparently deleted rather than sending...  Anyway,
the following problem can be used to usurp the default ipchains firewall
code in redhat 6.0...

The description of this problem is available at:
ftp://ftp.rustcorp.com/ipchains/ipchains-patch-2.2.desc
ftp://ftp.weisshuhn.de/pub/linux/ipchains/ftp.rustcorp.com/ipchains-patch-2.
2.desc
| Authors: Thomas Lopatic <tl at dataprotect.com>
|          John McDonald  <jm at dataprotect.com>
|
| Overview
| --------
|
| data protect has discovered a potential vulnerability in the Linux
ipchains
| firewall implementation. In certain situations, it is possible for an
| attacker to bypass the packet filter when communicating with machines that
| allow incoming packets to specific ports. This attack is a variation
| of previously discussed fragmentation attacks, where the attacker uses
| fragments to rewrite parts of the TCP or UDP protocol header. In this case
| port information is rewritten in order to gain access to ports that should
| be blocked by the firewall.

In order to protect against this you need to use kernel 2.2.10 and apply the
patch from:
ftp://ftp.rustcorp.com/ipchains/ipchains-patch-2.2.diff
ftp://ftp.weisshuhn.de/pub/linux/ipchains/ftp.rustcorp.com/ipchains-patch-2.
2.diff

Or, I believe(don't quote me on this) kernel 2.2.13 has the fix already
applied. 

Or the following rule may hinder other traffic on the firewall, but will
prevent this attack:
ipchains -A input   -i eth0 -f -j DENY

note eth0 should be the eth of your external(internet) interface.


Michael J. Walter mcse
Gliatech, Inc.
216-831-3200
walterm at gliatech.com
mwalter at drwalter.com