Re: Hacks

On 28 Feb 2007, Tim S. stated:

Nix wrote:

On 28 Feb 2007, Tim said:
John Phillips wrote:

Most probably from an unpatched

In the past I have tried using kernel hardening (grsecurity patches) to
mitigate against this. Basically, tricks like stack, so-lib and malloc
address randomisation and no-execute heap and stack - but such tricks ar
eprone to breaking applications.

Why is your firewall running such incredibly fragile apps anyway?
(`I only have one machine' is no excuse in this age of virtualization:
I've been running my firewall in UML for many years now...)

Who said my firewall was running such fragile apps?

You said that the tricks are `prone to breaking applications'. There
aren't very many they break; some Lisp interpreters need patching, it
breaks some old Java interpreters, and that's about all I can recall.

Incidently, the "fragile apps" were XFree86 and java, neither of which are
on my current firewall,

Ah, good! :)

(and yes, XFree86 and before the pci-rework branch will require
access to /dev/mem, which grsecurity understandably wants you to turn

`In the future, company names will be a 32-character hex string.'
--- Bruce Schneier on the shortage of company names

Relevant Pages

  • Re: What does a firewall do?
    ... > operating system, and naturally it will have an IP stack. ... > kinds of protection a really good firewall could be expected to provide. ... provide a port proxy service by implemeting network address translation, ... migrate naturally to the network stack, however, I say it's high time to ...
  • Re: Zombie spamming from my PC, Symantec/Spybot, nothing detects it!
    ... "The instant you are without a firewall, you're vulnerable,". ... We are_not_ talking about vulnerabilities that may be there but are ... If the IP stack is vulnerable then the firewall ... The problem of IP stack attacks have nothing to do with ...
  • Re: What does a firewall do?
    ... >operating system, and naturally it will have an IP stack. ... >kinds of protection a really good firewall could be expected to provide. ... They have, taking one with another, no special talent for the business of government; they have only a talent for getting and holding office. ...
  • Re: [fw-wiz] Proverbial appliance vs software based firewall
    ... And these are the most common "firewall" systems in the market. ... >> and you don't need to worry about partial ACKs or some such, ... SPF firewalls on top of linux are no less secure against partial ACKs. ... > The fact that TCP/IP stack in Linux doesn't generate partial ACKs ...