Date: Thu, 26 Feb 2015 09:04:18 +0000 From: Karl Pielorz <kpielorz_lst@tdx.co.uk> To: Remko Lodder <remko@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp (fwd) - ipfw fix? Message-ID: <EA0A592818642723A28D5125@[10.12.30.106]> In-Reply-To: <1BE461E0-D2AC-4222-8D41-B7F97E83FD74@FreeBSD.org> References: <ABE6D1EBAF2F5AEB25D65407@[10.12.30.106]> <1BE461E0-D2AC-4222-8D41-B7F97E83FD74@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--On 25 February 2015 18:21 +0100 Remko Lodder <remko@FreeBSD.org> wrote: > This suggests that you can filter the traffic: > > Block incoming IGMP packets by protecting your host/networks with a > firewall. (Quote from the SA). It does, but it doesn't specifically say whether ipfw on *the host that's being protected* is sufficient I'd imagine in some scenarios that won't work (because the host simply receiving a malformed packet would cause issues) - so was just getting it clarified that an ipfw rule on the vulnerable *host itself* blocking igmp (any to any) is sufficient in this case. i.e. You don't need a 'external' firewall sat in front of the hosts to do that job. -Karl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EA0A592818642723A28D5125>