-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Dave,
Yes, this is refered to as VU#521769 by CERT.
I'm currently working with Sun to try and make sure IPFilter for Solaris
10 gets
fixed ASAP and I'm trying to be nice to them by not patching open source
ipfilter
first.
However if you (and others) need a patch "now" so that you've got some lead
time to get it downloaded, built and installed, I'll consider patching
open source
sooner rather than later.
Darren
Dave Ockwell-Jenner wrote:
| Is there any increased visibility of a need for this feature; given
the recent DNS vulnerability discussions. I have clients who are
patching their DNS servers to provide source-port randomization, but are
behind NAT which renders such randomization moot.
|
| Cheers,
| Dave.
|
| On Jun 13, 2008, at 4:25 AM, Darren Reed wrote:
|
|> Jeremy C. Reed wrote:
|>> I have:
|>>
|>> map ral0 from any port = 4791 to any -> 0/32 portmap tcp/udp 5000:60000
|>>
|>> As documented in man page I see it does use incremental port numbers
for the new port (5000, 5001, 5002, ... as seen with tcpdump.)
|>>
|>> Anyway to randomize my new source port?
|>>
|>
|> Not yet.
|>
|> If you'd like to add a random port feature, my preference would be for it
|> to be added to the active development version of IPFilter that you can
|> get from CVS on sourceforge.net/projects/ipfilter/ but all code
contributions
|> are welcome :)
|>
|> Cheers,
|> Darren
|>
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiGHLAACgkQP7JIXtvLbFX2LwCeJd0ciYQgFn4IiLDoIltil+rQ
oWYAn0aCBmJfIJDLuH2LwHMEKmhUlR3E
=O+Lv
-----END PGP SIGNATURE-----
