> >If the code I'm reading, 1.1.88, is actually what is in use, then Linux
> >should be LAST on your list of operating systems to use for a firewall,
> >ipfw or no. It would be trivial for a "bad" IP packet to cause a Linux
> >kernel numerous problems. All sorts of things are done in the wrong
> >order (assuming BSD is more correct) and various sanity checks on incoming
> >packets are not performed. This is just from reading their code in the
> >last 5 mins, with NetBSD in another window on the right, and comparing
> >the two, seeing what does and doesn't get done. That or the BSD code is
> >more paranoid about what it does and trusts, which isn't an altogether
> >bad thing.
> Could you be more specific about your comments above? Yes, I am interested
> in using Linux as a firewall, but hadn't begun to look at the actual
> firewall code. You're analysis could save me time.
For starters, there seem to be too few checks about the size of the packet,
the size it claims to be and and the size of the packet header in comparison
to both of these. Either that or it checks packet header sanity twice and
in another place I can't find. From observation, a carefully crafted IP
packet could crash your linux machine.
Then when you get to the IP firewall code, it doesn't bother checking the
access lists for anything going to 127.0.0.1, regardless of where it has
That from 1.1.94, * Version: @(#)ip.c 1.0.16b 9/1/93.
(Just got it from tsx.mit.edu).