Hi,
On Mon, Apr 09, 2001 at 12:16:14AM +0200, Thomas Lopatic wrote:
> [...]
>
> Details
> -------
>
> When IP Filter evaluates the rule-base for an IP fragment and decides
> whether to pass it or block it, this decision is saved in a "decision
> cache" together with the fragment's IP ID, protocol number, source
> address and destination address fields.
Looking at the ipf code (3.4.9, the one inclued in NetBSD 1.5), it looks
like an entry is added to the decision cache only if the packet
matches a rule with 'keep state' or 'keep frags'. So a ruleset without
any 'keep state'/'keep frags' should not be vulnerable.
Or did I miss something ?
--
Manuel Bouyer <[EMAIL PROTECTED]>
--
