<br><br><div class="gmail_quote">On Tue, Jun 23, 2009 at 3:34 AM, Matthias Andree <span dir="ltr"><<a href="mailto:matthias.andree@gmx.de">matthias.andree@gmx.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Am 23.06.2009, 01:17 Uhr, schrieb Brad Morgan <<a href="mailto:b-morgan@concentric.net">b-morgan@concentric.net</a>>:<br>
<div class="im"><br>
>> dnsmasq emty his cache after restart, how to prevent it?<br>
><br>
> Isn't the right answer to get dnsmasq off of a machine that isn't<br>
> stable? I have dnsmasq running on a Redhat 9 Linux machine that also<br>
> serves as my<br>
> firewall. There are no kernel updates to worry about and the system just<br>
> runs and runs and runs with uptimes measured in multiple months.<br>
<br>
</div>That's something to _STRONGLY_ discourage. Kernel updates aren't required<br>
that often (if you feel they are, run one of the BSDs), and they aren't<br>
the cause for the original posting/pain anyways.<br>
<br>
Running firewalls on outdated kernels is as dangerous as it can get - some<br>
code injection might disable your firewall and then expose your whole LAN.</blockquote><div><br>Note of course that prevention of code injection is not the kernel's role. Limiting the damage is, a code injection attack against a user-mode process is far more likely to achieve a successful jailbreak on an unpatched kernel, but the user-mode process can and should be updated with no need for a kernel-stopping reboot. And the most up-to-date kernel is completely powerless to protect a system whose network facing services aren't properly restricted via user account and capabilities. Kernel updates are important, but they aren't a panacea<br>
<br>A buffer overflow in a kernel module processing incoming network data is a different story of course, but this is a very slim attack surface, especially on a well-configured firewall (e.g. no khttpd, knfsd, etc).<br> </div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
--<br>
<font color="#888888">Matthias Andree<br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
</div></div></blockquote></div><br>