[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press again...

* Paul Gear:

> It makes perfect sense to me...  All it's saying is that IP-to-MAC
> mappings are cached in the 'Recent' set for each interface for
> $MACLIST_TTL seconds without requiring them to be passed through the MAC
> filter for every packet.

The problem is this sentence: "Subsequent connection attempts from
that IP address occurring within $MACLIST_TTL seconds will be accepted
without having to scan all of the entries.".  What does "accepted"
mean in this context?  Accepted without further checks?

Of course, the intent was that only MAC list checks are skipped.  But
the same developer who implemented the maclist feature probably wrote
that documentation, and missed the crucial RETURN/ACCEPT distinction.

> "Not documented at all" is not a phrase i've *ever* heard used about
> Shorewall.

The syntax is documented, but not the semantics. 8-)

> What you do in your lab is up to you, but isn't that a bit of a waste of
> time when Lorenzo has already done it?

The guidelines in the Developer's Reference suggest that the
communication with the security team is not archived in the relevant
bug report, even if the bug itself is public.  So I didn't know about
his activities.

> He just told me that he sent the results of his testing to the
> security team in his original request for a DSA.

Yes, in the meantime, I've been told that, too.

Reply to: