[ previous ] [ next ] [ threads ]
 
 From:  "Angus MacGyver" <macgyver at calibre dash solutions dot co dot uk>
 To:  "Manuel Kasper" <mk at neon1 dot net>
 Cc:  "Chris Buechler" <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DNS Vulnerbility...
 Date:  Fri, 25 Jul 2008 17:03:33 -0000 (UTC)
>
> It doesn't, yet, so running a DNS server behind m0n0wall while using
> PAT (not just 1:1 NAT) will undo the DNS server's query port
> randomization. ipfilter 4.1.30 apparently does source port
> randomization (from the change log: "2020447 IPFilter's NAT can undo
> name server random port selection") - I'll wait for it to appear in
> FreeBSD's CVS repository, and if it doesn't happen within a couple of
> days, I'll go through the trouble of importing 4.1.30 myself.
>
> But this is an entirely different beast than Dnsmasq's own
> randomization (which works fine in 1.3b13) - only people who run their
> own recursive DNS server behind m0n0wall are affected.
>
> - Manuel
>

Referencing
http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ipfilter/ip_fil.c



CVS log for src/contrib/ipfilter/ip_fil.c

[BACK] Up to [FreeBSD] / src / contrib / ipfilter

Request diff between arbitrary revisions

Keyword substitution: kv
Default branch: MAIN
Revision 1.7: download - view: text, markup, annotated - select for diffs
Thu Jul 24 12:35:05 2008 UTC (28 hours, 24 minutes ago) by darrenr
Branches: MAIN
CVS tags: HEAD
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +15 -0 lines

SVN rev 180778 on 2008-07-24 12:35:05Z by darrenr

2020447 IPFilter's NAT can undo name server random port selection

Approved by:	darrenr
MFC after:	1 week
Security:	CERT VU#521769


Does that mean it has been uploaded to FreeBSD's CVS ?

AM

-- 
I'm not perfect, but I am forgiven.