From owner-freebsd-security@FreeBSD.ORG Sat May 3 03:54:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 161FBCA7 for ; Sat, 3 May 2014 03:54:10 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 811491C94 for ; Sat, 3 May 2014 03:54:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s433rijW089910; Sat, 3 May 2014 13:53:44 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 3 May 2014 13:53:44 +1000 (EST) From: Ian Smith To: d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp In-Reply-To: <5363FA70.9040100@delphij.net> Message-ID: <20140503133437.R11699@sola.nimnet.asn.au> References: <3867.1399059743@server1.tristatelogic.com> <5363FA70.9040100@delphij.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org, "Ronald F. Guilmette" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 May 2014 03:54:10 -0000 On Fri, 2 May 2014 13:05:04 -0700, Xin Li wrote: > On 05/02/14 12:42, Ronald F. Guilmette wrote: > > OK, so how would one block all incoming *TCP* fragments... you > > know... > > There is no such TCP fragments thing. > > > in order to render this specific security issue a non-issue? (I > > personally am already blocking inbound IP fragments viw ipfw.) > > Looking at ipfw manual it doesn't seem to have the capability to do > TCP reassembling (or so-called traffic normalization), which as far as > I know, is a pf-only feature on FreeBSD. If your server is behind a > pf-based firewall or some other firewall that can do TCP reassemble, > you can do that as well. man ipfw /reass Or is that something else? I haven't used this myself. > Please note that TCP reassemble requires more memory and CPU power and > do not necessarily reduce the traffic hitting your server behind > firewall, so it's a workaround and may be not a good idea for longer > term usage. > > Blocking inbound IP fragments is generally a good safety measure, but > keep in mind that doing so could break certain applications that do > require it (e.g. don't be surprised if some user behind several layers > of firewalls see blank pages from your website) and that needs to be > taken into consideration. I've always allowed frags, as per the example rulesets in rc.firewall. I only recall seeing them on DNS responses from zen.spamhaus.org, where I see plenty of these after a resetlog before the logging limit kicks in. I doubt I'd be getting rid of ~90% of incoming spam without; eg: Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18125:853@1480) Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18126:903@1480) Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18128:1043@1480) Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18129:147@1480) cheers, Ian