Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5

From: Blue Boar (BlueBoar@thievco.com)
Date: 11/14/01


Date: Wed, 14 Nov 2001 11:07:59 -0800
From: Blue Boar <BlueBoar@thievco.com>
Subject: Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5
To: Yanek Korff <yanek@cigital.com>
Message-id: <3BF2C10F.4257B4BB@thievco.com>


> Would not the OS itself crash without the FW kernel module loaded whena UDP
> scan was initiated? When the machine is running without the FW active, it
> stays up fine.

Sounds like you answered your own question. :) All the evidence suggests
that the fault is in the firewall code. If a KLM dies, it's perfectly
capable of taking the kernel with it. At least when I've done it on
Solaris.. I assume Linux is the same.

> I've tried the -T Paranoid switch; the system crashes with the VERY FIRST
> UDP packet, regardless of which port it's sent to. I subsequently
> re-enabled icmp, as a "before last" implied rule... And I see this:
> Initiating UDP Scan against (64.80.176.11)
> 12:43:34.168842 nmap_source.58153 > fw_under_test.973: udp 0
> 12:43:34.274503 fw_under_test > nmap_source: icmp: 64.80.176.11 udp port 973
> unreachable
>
> And that's the last packet I get from the machine.

Meaning it crashes? Seems strange, you'd think Checkpoint would have
tried a UDP packet before they shipped...

Can anyone else confirm the results?

> If I run nslookup on nmap_source, set my server to fw_under_test, and
> attempt to resolve something (even though fw_under_test is not running a
> nameserver), the fw_under_test does not crash. It merely replies with udp
> port unreachable and stays up.

Must be something in particular with the conetns of the packet NMAP sends.

                                                BB