From owner-freebsd-security@FreeBSD.ORG Fri May 2 15:16:52 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D69ADCC0 for ; Fri, 2 May 2014 15:16:52 +0000 (UTC) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id B07C61373 for ; Fri, 2 May 2014 15:16:52 +0000 (UTC) Received: by be-well.ilk.org (Postfix, from userid 1147) id B927733C49; Fri, 2 May 2014 11:16:51 -0400 (EDT) From: Lowell Gilbert To: "Ronald F. Guilmette" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp References: <96385.1398973109@server1.tristatelogic.com> Date: Fri, 02 May 2014 11:16:51 -0400 In-Reply-To: <96385.1398973109@server1.tristatelogic.com> (Ronald F. Guilmette's message of "Thu, 01 May 2014 12:38:29 -0700") Message-ID: <44d2fwcisc.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2014 15:16:52 -0000 "Ronald F. Guilmette" writes: > I also have a question.... > > If one manages a system where (a) all local user accounts are completely > and 100% trustworthy and where (b) one has in place ipfw rules which reject > all incoming packet *fragments* on all outward-facing interfaces, then is > this security problem (relating to the reassembly queue) an issue at all > for said system? Or is it rather a non-event in such contexts? That should keep you safe, but it will break some legitimate connections, not to mention MTU discovery.