Date: Tue, 21 Apr 2020 19:55:18 -0400 From: Ed Maste <emaste@freebsd.org> To: Eugene Grosbein <eugen@grosbein.net> Cc: "Andrey V. Elsukov" <ae@freebsd.org>, freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw Message-ID: <CAPyFy2CoqK%2BLsbYX3%2BTtC3hmieRQ1s2SV5f4LjeH0pqZTa9SEg@mail.gmail.com> In-Reply-To: <f43a2478-31e4-6c82-a84e-eace2b7b416b@grosbein.net> References: <20200421165514.C676C1CB78@freefall.freebsd.org> <54bfc0f6-be4c-349d-df87-8ba507803a04@grosbein.net> <CAPyFy2Bx6hM0FdF2xHPrpzfCDo%2B5JRtetxQs2_S9zy=V2FEmew@mail.gmail.com> <f43a2478-31e4-6c82-a84e-eace2b7b416b@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Apr 2020 at 18:50, Eugene Grosbein <eugen@grosbein.net> wrote: > > > I believe this is correct; what about this statement: > > > > No workaround is available. Systems not using the ipfw firewall, and > > systems that use the ipfw firewall but without any rules using "tcpoptions" > > or "tcpmss" keywords, are not affected. > > Isn't removing rules with "tcpoptions/tcpmss" considered as work-around? > > Such rules may be replaced with "ipfw netgraph" rules and processing TCP options > with NETGRAPH node ng_bpf(4). Seems as work-around to me. Fair enough, although I don't want to provide that as an official suggestion in the advisory without testing and understanding the caveats, so probably just removing the "No workaround is available." So perhaps: Systems not using the ipfw firewall, and systems that use the ipfw firewall but with no rules using "tcpoptions" or "tcpmss" keywords, are not affected.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2CoqK%2BLsbYX3%2BTtC3hmieRQ1s2SV5f4LjeH0pqZTa9SEg>