From owner-freebsd-questions@FreeBSD.ORG Wed Jan 25 15:14:26 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B871E16A423 for ; Wed, 25 Jan 2006 15:14:26 +0000 (GMT) (envelope-from lavalamp@spiritual-machines.org) Received: from mail.digitalfreaks.org (arbitor.digitalfreaks.org [216.151.95.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40A9243D68 for ; Wed, 25 Jan 2006 15:14:25 +0000 (GMT) (envelope-from lavalamp@spiritual-machines.org) Received: by mail.digitalfreaks.org (Postfix, from userid 1022) id A58EB1751F; Wed, 25 Jan 2006 10:14:30 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mail.digitalfreaks.org (Postfix) with ESMTP id A45961751E for ; Wed, 25 Jan 2006 10:14:30 -0500 (EST) Date: Wed, 25 Jan 2006 10:14:30 -0500 (EST) From: "Brian A. Seklecki" X-X-Sender: lavalamp@arbitor.digitalfreaks.org To: freebsd-questions@freebsd.org In-Reply-To: <200601251013.k0PADhKN059136@freefall.freebsd.org> Message-ID: <20060125095918.K37425@arbitor.digitalfreaks.org> References: <200601251013.k0PADhKN059136@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:07.pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 15:14:26 -0000 > III. Impact > > By sending carefully crafted sequence of IP packet fragments, a remote > attacker can cause a system running pf with a ruleset containing a > 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash. > > IV. Workaround > > Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules > on systems running pf. In most cases, such rules can be replaced by > 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for All: Just to clarify on the syntax, since it's not actually mentioned in pf.conf(5): Per the PF FAQ, a rule: "scrub in all" or "scrub all" Implies "scrub in all fragment reassemble" as a default argument/flags to "scrub" when not are specified, and none of the other scrubbing options (no-df, random-id, etc.). This per observation of "pfctl -s all": $ sudo grep -i scrub /etc/pf.conf scrub in all $ sudo pfctl -s all | grep -i scrub scrub in all fragment reassemble Correct? To the credit of the FAQ Author, it does state "This is the default behavior when no fragment option is specified." ... but that still begs the question: "What are the default scrubbing options, other than fragment reassembly, when none are specified?" Might be useful to mention these things in the FAQ and the advisory. TIA, ~lava > more details. > > Systems which do not use pf, or use pf but do not use the aforementioned > rules, are not affected by this issue. >