Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 02 May 2014 13:05:04 -0700
From:      Xin Li <delphij@delphij.net>
To:        "Ronald F. Guilmette" <rfg@tristatelogic.com>,  freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
Message-ID:  <5363FA70.9040100@delphij.net>
In-Reply-To: <3867.1399059743@server1.tristatelogic.com>
References:  <3867.1399059743@server1.tristatelogic.com>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 05/02/14 12:42, Ronald F. Guilmette wrote:
> OK, so how would one block all incoming *TCP* fragments... you
> know...

There is no such TCP fragments thing.

> in order to render this specific security issue a non-issue?  (I
> personally am already blocking inbound IP fragments viw ipfw.)

Looking at ipfw manual it doesn't seem to have the capability to do
TCP reassembling (or so-called traffic normalization), which as far as
I know, is a pf-only feature on FreeBSD.  If your server is behind a
pf-based firewall or some other firewall that can do TCP reassemble,
you can do that as well.

Please note that TCP reassemble requires more memory and CPU power and
do not necessarily reduce the traffic hitting your server behind
firewall, so it's a workaround and may be not a good idea for longer
term usage.

Blocking inbound IP fragments is generally a good safety measure, but
keep in mind that doing so could break certain applications that do
require it (e.g. don't be surprised if some user behind several layers
of firewalls see blank pages from your website) and that needs to be
taken into consideration.

Cheers,
- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQIcBAEBCgAGBQJTY/pwAAoJEJW2GBstM+nsviwP/3COZbbO5e6dAYWW21bFJp3P
0C2UkroHf1rK1hZHM1lJAGoXOzbzYNKzCWePxOiQD8YpaARU7Q1B7cjlamZQK7Tn
10e3I4++PaIlYQ2Z9CF0GEhdJx96NKiIW0jWB0RdPIHnwA0pQB/YeiAK4tsVuQJM
7pjkNfPGDSsOqDajWxUqTyChsUWgekonpaigRyyk6TJqgRWj/yxT/jggXFqr6InO
uzFxnWfgUPYV+mjnBoafmgz8I9JAX90LQb+HnSaf5oWl5MzWR4wT8JYgwyizkXKW
MuBd6f1hd7KNOtAdZzh41cXCPUUuPmwkDFlvfDdfPnR1RU3p9UQ7zS/SmgHRBIre
n78BDihMDrfA183t1T1ABqT8s8Qgj17YK389yk6+WVFSfKzNwWYWSFHBaA+ZgBsX
5s4Cw/1fWZ1/xK7t6uYrX4FyF2QgcWi61iUJHqIDbcDViDda+PC8p9HWwRG4mih+
WwLw5kvbx+XkuoNAyxGtPUy7HZlkSys926XtEbl8n7Z3miF9Ns3JpA6o5sz9zc9M
TzUEJkmgsy6yEFolDIHHTnVjmuSK9SYZv8KFIdHkL0DDvP5lPFovdNSas2TtjDHP
LlNBIBZL2h1AF4rWx1ne4OZtbdn5vuaUdCRqlroppRpi8Q4ps/o414aeGs8cJTfc
PWT4I9mAPFD+xnN1lI1C
=IUgz
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5363FA70.9040100>