Date: Tue, 21 Apr 2020 19:55:18 -0400 From: Ed Maste <emaste@freebsd.org> To: Eugene Grosbein <eugen@grosbein.net> Cc: "Andrey V. Elsukov" <ae@freebsd.org>, freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw Message-ID: <CAPyFy2CoqK%2BLsbYX3%2BTtC3hmieRQ1s2SV5f4LjeH0pqZTa9SEg@mail.gmail.com> In-Reply-To: <f43a2478-31e4-6c82-a84e-eace2b7b416b@grosbein.net> References: <20200421165514.C676C1CB78@freefall.freebsd.org> <54bfc0f6-be4c-349d-df87-8ba507803a04@grosbein.net> <CAPyFy2Bx6hM0FdF2xHPrpzfCDo%2B5JRtetxQs2_S9zy=V2FEmew@mail.gmail.com> <f43a2478-31e4-6c82-a84e-eace2b7b416b@grosbein.net>
index | next in thread | previous in thread | raw e-mail
On Tue, 21 Apr 2020 at 18:50, Eugene Grosbein <eugen@grosbein.net> wrote: > > > I believe this is correct; what about this statement: > > > > No workaround is available. Systems not using the ipfw firewall, and > > systems that use the ipfw firewall but without any rules using "tcpoptions" > > or "tcpmss" keywords, are not affected. > > Isn't removing rules with "tcpoptions/tcpmss" considered as work-around? > > Such rules may be replaced with "ipfw netgraph" rules and processing TCP options > with NETGRAPH node ng_bpf(4). Seems as work-around to me. Fair enough, although I don't want to provide that as an official suggestion in the advisory without testing and understanding the caveats, so probably just removing the "No workaround is available." So perhaps: Systems not using the ipfw firewall, and systems that use the ipfw firewall but with no rules using "tcpoptions" or "tcpmss" keywords, are not affected.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2CoqK%2BLsbYX3%2BTtC3hmieRQ1s2SV5f4LjeH0pqZTa9SEg>