Date: Fri, 02 May 2014 13:05:04 -0700 From: Xin Li <delphij@delphij.net> To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp Message-ID: <5363FA70.9040100@delphij.net> In-Reply-To: <3867.1399059743@server1.tristatelogic.com> References: <3867.1399059743@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/02/14 12:42, Ronald F. Guilmette wrote: > OK, so how would one block all incoming *TCP* fragments... you > know... There is no such TCP fragments thing. > in order to render this specific security issue a non-issue? (I > personally am already blocking inbound IP fragments viw ipfw.) Looking at ipfw manual it doesn't seem to have the capability to do TCP reassembling (or so-called traffic normalization), which as far as I know, is a pf-only feature on FreeBSD. If your server is behind a pf-based firewall or some other firewall that can do TCP reassemble, you can do that as well. Please note that TCP reassemble requires more memory and CPU power and do not necessarily reduce the traffic hitting your server behind firewall, so it's a workaround and may be not a good idea for longer term usage. Blocking inbound IP fragments is generally a good safety measure, but keep in mind that doing so could break certain applications that do require it (e.g. don't be surprised if some user behind several layers of firewalls see blank pages from your website) and that needs to be taken into consideration. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTY/pwAAoJEJW2GBstM+nsviwP/3COZbbO5e6dAYWW21bFJp3P 0C2UkroHf1rK1hZHM1lJAGoXOzbzYNKzCWePxOiQD8YpaARU7Q1B7cjlamZQK7Tn 10e3I4++PaIlYQ2Z9CF0GEhdJx96NKiIW0jWB0RdPIHnwA0pQB/YeiAK4tsVuQJM 7pjkNfPGDSsOqDajWxUqTyChsUWgekonpaigRyyk6TJqgRWj/yxT/jggXFqr6InO uzFxnWfgUPYV+mjnBoafmgz8I9JAX90LQb+HnSaf5oWl5MzWR4wT8JYgwyizkXKW MuBd6f1hd7KNOtAdZzh41cXCPUUuPmwkDFlvfDdfPnR1RU3p9UQ7zS/SmgHRBIre n78BDihMDrfA183t1T1ABqT8s8Qgj17YK389yk6+WVFSfKzNwWYWSFHBaA+ZgBsX 5s4Cw/1fWZ1/xK7t6uYrX4FyF2QgcWi61iUJHqIDbcDViDda+PC8p9HWwRG4mih+ WwLw5kvbx+XkuoNAyxGtPUy7HZlkSys926XtEbl8n7Z3miF9Ns3JpA6o5sz9zc9M TzUEJkmgsy6yEFolDIHHTnVjmuSK9SYZv8KFIdHkL0DDvP5lPFovdNSas2TtjDHP LlNBIBZL2h1AF4rWx1ne4OZtbdn5vuaUdCRqlroppRpi8Q4ps/o414aeGs8cJTfc PWT4I9mAPFD+xnN1lI1C =IUgz -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5363FA70.9040100>