Re: [suse-security] kernel 2.4: ipchains and ip_masq_ftp

maf king wrote:

One thing to bear in mind with this approach : AFAIK the stock SuSE 7.2 2.4.4 kernel hasn't been patched to close the serious security hole in ip_conntrack_ftp, so if security is of any importance at all, and you have to allow FTP, 2.2.19 is probably better.

I thought that problem only affected kernels <= 2.4.3. Looking at my SuSE 7.2 system with a 2.4.4-4GB kernel (default), i see the following in lines 352-355 of my /usr/src/linux-2.4.4.SuSE/net/ipv4/netfilter/ip_conntrack_ftp.c: ---- /* Thanks to Cristiano Lincoln Mattos for reporting this potential problem (DMZ machines opening holes to internal networks, or the packet filter itself). */ if (!loose) goto out; ---- So I would say that this problem has been taken care of... Could someone from SuSE please confirm this? Thanks, Sergi