There are some architectural issues as well. I.e. stock authsrv talks
via localhost port - if your machine runs proxies you should use
tricky configuration options to prevent them from talking to it except
when they are ought to do.

There is an encryption patch, but IIRC it was not included in Gauntlet,
and it uses silly single-pass DES PSK and authsrv has fixed banner
displaying at the start of each session for bruteforcers' joy.

OpenFWTK has subtle API change to communicate via unix socket when
needed and the change is transparent for all applications.

On Wed, Jan 17, 2007 at 08:12:46AM -0500, Marcus J. Ranum wrote:
> ArkanoiD wrote:
> >I wonder if there are still many people who use TIS fwtk and/or old
> >Gauntlet source license. If you do, please drop me a line describing
> >your environment and requirements, as i have some replacement code ;-)

> I'm not necessarily recommending "Arkanoid"'s replacement, but if
> there ARE any people still using the old fwtk code, I'd suggest that
> you replace it.
> I recently discovered a number of issues with the code using an
> automated software security tester - see:
> Quite the interesting experience, to say the least. While the review I
> performed identified a number of issues they would by fairly easy to
> fix. I'm not doing it, though.
> mjr.
> _______________________________________________
> firewall-wizards mailing list

firewall-wizards mailing list