From owner-freebsd-security@freebsd.org  Wed Apr 22 09:07:51 2020
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id ADC2E2AD070
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Wed, 22 Apr 2020 09:07:51 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 496ZMn74YCz3xfM;
 Wed, 22 Apr 2020 09:07:49 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 03M97gxd038783
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Wed, 22 Apr 2020 09:07:43 GMT (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: emaste@freebsd.org
Received: from [10.58.0.10] (dadv@dadvw [10.58.0.10])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id 03M97fB7078099
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Wed, 22 Apr 2020 16:07:41 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw
To: Ed Maste <emaste@freebsd.org>
References: <20200421165514.C676C1CB78@freefall.freebsd.org>
 <54bfc0f6-be4c-349d-df87-8ba507803a04@grosbein.net>
 <CAPyFy2Bx6hM0FdF2xHPrpzfCDo+5JRtetxQs2_S9zy=V2FEmew@mail.gmail.com>
 <f43a2478-31e4-6c82-a84e-eace2b7b416b@grosbein.net>
 <CAPyFy2CoqK+LsbYX3+TtC3hmieRQ1s2SV5f4LjeH0pqZTa9SEg@mail.gmail.com>
Cc: "Andrey V. Elsukov" <ae@freebsd.org>, freebsd-security@freebsd.org
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <8067db19-fee5-ce20-ab42-060c26736849@grosbein.net>
Date: Wed, 22 Apr 2020 16:07:40 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAPyFy2CoqK+LsbYX3+TtC3hmieRQ1s2SV5f4LjeH0pqZTa9SEg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,
 SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
 *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 496ZMn74YCz3xfM
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-3.99 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[grosbein.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCVD_COUNT_THREE(0.00)[3];
 IP_SCORE(-1.89)[ip: (-5.24), ipnet: 2a01:4f8::/29(-2.64), asn: 24940(-1.54),
 country: DE(-0.02)]; R_SPF_PERMFAIL(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 09:07:51 -0000

22.04.2020 6:55, Ed Maste wrote:

> On Tue, 21 Apr 2020 at 18:50, Eugene Grosbein <eugen@grosbein.net> wrote:
>>
>>> I believe this is correct; what about this statement:
>>>
>>> No workaround is available.  Systems not using the ipfw firewall, and
>>> systems that use the ipfw firewall but without any rules using "tcpoptions"
>>> or "tcpmss" keywords, are not affected.
>>
>> Isn't removing rules with "tcpoptions/tcpmss" considered as work-around?
>>
>> Such rules may be replaced with "ipfw netgraph" rules and processing TCP options
>> with NETGRAPH node ng_bpf(4). Seems as work-around to me.
> 
> Fair enough, although I don't want to provide that as an official
> suggestion in the advisory without testing and understanding the
> caveats, so probably just removing the "No workaround is available."
> 
> So perhaps:
> Systems not using the ipfw firewall, and systems that use the ipfw firewall
> but with no rules using "tcpoptions" or "tcpmss" keywords, are not affected.

I like it.