From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 8D83121F1FB for ; Wed, 9 Apr 2014 08:42:30 -0700 (PDT) Received: from mr6.cc.vt.edu (mr6.cc.vt.edu [198.82.141.20]) by lennier.cc.vt.edu (8.13.8/8.13.8) with ESMTP id s39FfQuF015948; Wed, 9 Apr 2014 11:41:26 -0400 Received: from auth1.smtp.vt.edu (auth1.smtp.vt.edu [198.82.161.152] (may be forged)) by mr6.cc.vt.edu (8.14.4/8.14.4) with ESMTP id s39FfLft010167; Wed, 9 Apr 2014 11:41:26 -0400 Received: from turing-police.cc.vt.edu ([IPv6:2601:8:1f80:613:bd2d:9039:589c:308c]) (authenticated bits=0) by auth1.smtp.vt.edu (8.14.4/8.14.4) with ESMTP id s39FfKeo022725 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Apr 2014 11:41:20 -0400 X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.5+dev To: Dave Taht In-Reply-To: Your message of "Wed, 09 Apr 2014 08:18:23 -0700." From: Valdis.Kletnieks@vt.edu References: <53453B13.8000705@ecsc.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1397058080_3151P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 09 Apr 2014 11:41:20 -0400 Message-ID: <47314.1397058080@turing-police.cc.vt.edu> X-Spam-Status: No, score=-0.3 required=5.0 tests=RP_MATCHES_RCVD autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mr6.cc.vt.edu Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Fwd: [uknof] CVE-2014-0160 mitigation using iptables X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 15:42:30 -0000 --==_Exmh_1397058080_3151P Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable On Wed, 09 Apr 2014 08:18:23 -0700, Dave Taht said: > It is not clear if this could be used to protect things inside the > firewall (switching to a forward rather than input table), nor if it > could be used with ipv6. It will require adjusting the 52= in the rule, but otherwise should be OK for IPv6. For that matter, the ruleset as given is probably busticated when IP or TCP options are present, because it assumes a hard-coded offset. --==_Exmh_1397058080_3151P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Exmh version 2.5 07/13/2001 iQIVAwUBU0VqIAdmEQWDXROgAQLe/w/+Igs+kuuzFFXKzUs1/Xf86ugiZ48Oiv/7 VjTVmTyMrPtvJaxKEUr6uNR4L9FKK2qG/cQ+VqfjJ+lSARupHioSroYPy+ds0gs0 0vhCJzkqd6ceahwnQFW+qWEtxzCHW5ZpguVPBJkLrhITMhHBv07BQ34eQxfNRkMy cMAwxmS08gxnvd12kvRXLJX7BBkx/w3kZk/aDTC1qJSUamtFf7XfL2YtyopMXTdw elqMkVnEZO9ueJEP+PftLTuM0z4DM14pAeb2+z3ZSNZaiz/OExO22jXn/0vzzHCa FT27Q946whvZz0d/dEelow+h4bFKGsoHBQ0dA7LIC/xPZqVa60SQYVBWh+mVgYNs RIaAq+lE/cWRYHvvNa/GaoQqh3uMjBGE9kEXAJfTPTxZFLqgJrlQDlal9ZNbjwfm nGt2dqzoN1T+ZZ0bHuSBMergPW/XMp4zkvB1F2iE6oNg96g2fFObSSfylvYje97x z5vPg4hSGHT2IzMfxcr0gj+wqBjBtzWELA9IcRKui+XOS4VSOSz5JXCbDw3iOKRO ccssOnHkrPLie1sXlQISzurlA+OrAq4Td+rt7+tuSz4GVB7NO/pNOzBE9ROf5v1c LROJaVpSNmDbPujQWJjVi1sGhSZEEWm4jtIQBRDnFC6kUZTT0WR9WP1/Ua7vHZtV LzLcD79EvDo= =2P5+ -----END PGP SIGNATURE----- --==_Exmh_1397058080_3151P--