漏洞发布时间：2000-5-31 9:54:00

漏 洞 描 述:

IPFilter firewall 3.3.15 和 3.4.3或者更早的版本的 IPFilter firewall包存在一个安全漏洞:攻击者能 穿过普通配置的IPfilter firewall。
如果IPFilter rulesets 使用 "return-rst" and "keep state" 规则：

block return-rst in proto tcp from A to V
pass out proto tcp from V to A keep state

当RST创建一个state entry,就会进来新的SYN包,这个state entry允许SYN包穿透防火墙。

解 决 方 法:

这个漏洞的补丁已经发布了,当触发一个RST包，这个补丁能有效的阻止fr_addstate()创建一个state entry.该补丁包含在IPFilter 3.3.16和3.4.4

如果你的系统还没打补丁，移去"return-rst",向外发送tcp 包时,把下面的规则:

pass out proto tcp ... keep state # No TCP flags matched upon!

代替为:
pass out quick proto tcp ... flags R/R
pass out proto tcp ... flags AR/A keep state
pass out proto tcp ... flags S keep state


如果你使用一个单一的规则：

pass out proto tcp/udp ... keep state

你应该替换为以下四个规则：

pass out quick proto tcp ... flags R/R
pass out proto tcp ... flags AR/A keep state
pass out proto tcp ... flags S keep state
pass out proto udp ... keep state


*** ip_state.c.old Fri May 19 11:54:43 2000
--- ip_state.c Sun May 21 15:50:11 2000
***************
*** 558,567 ****
--- 558,569 ----
}
case IPPROTO_TCP :
{
tcp = (tcphdr_t *)fin-$#@62;fin_dp;

+ if (tcp-$#@62;th_flags & TH_RST) return NULL;
+
/*
* The endian of the ports doesnt matter, but the ack and
* sequence numbers do as we do mathematics on them later.
*/
is-$#@62;is_dport = tcp-$#@62;th_dport;