From owner-freebsd-security@FreeBSD.ORG  Thu Feb 26 09:04:21 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id CF310517;
 Thu, 26 Feb 2015 09:04:21 +0000 (UTC)
Received: from mail.tdx.com (mail.tdx.com [62.13.128.18])
 by mx1.freebsd.org (Postfix) with ESMTP id 981E322F;
 Thu, 26 Feb 2015 09:04:20 +0000 (UTC)
Received: from [10.12.30.106] (vpn01-01.tdx.co.uk [62.13.130.213])
 (authenticated bits=0)
 by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id t1Q94IfL015172
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Thu, 26 Feb 2015 09:04:19 GMT
Date: Thu, 26 Feb 2015 09:04:18 +0000
From: Karl Pielorz <kpielorz_lst@tdx.co.uk>
To: Remko Lodder <remko@FreeBSD.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp (fwd) - ipfw fix?
Message-ID: <EA0A592818642723A28D5125@[10.12.30.106]>
In-Reply-To: <1BE461E0-D2AC-4222-8D41-B7F97E83FD74@FreeBSD.org>
References: <ABE6D1EBAF2F5AEB25D65407@[10.12.30.106]>
 <1BE461E0-D2AC-4222-8D41-B7F97E83FD74@FreeBSD.org>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 09:04:21 -0000



--On 25 February 2015 18:21 +0100 Remko Lodder <remko@FreeBSD.org> wrote:

> This suggests that you can filter the traffic:
>
> Block incoming IGMP packets by protecting your host/networks with a
> firewall.  (Quote from the SA).

It does, but it doesn't specifically say whether ipfw on *the host that's 
being protected* is sufficient

I'd imagine in some scenarios that won't work (because the host simply 
receiving a malformed packet would cause issues) - so was just getting it 
clarified that an ipfw rule on the vulnerable *host itself* blocking igmp 
(any to any) is sufficient in this case.

i.e. You don't need a 'external' firewall sat in front of the hosts to do 
that job.

-Karl