Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 09 Nov 2022 04:52:18 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 267658] security/py-fail2ban: Fix PF failing to be able to ban stuff using for example UDP
Message-ID:  <bug-267658-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267658

            Bug ID: 267658
           Summary: security/py-fail2ban: Fix PF failing to be able to ban
                    stuff using for example UDP
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: cy@FreeBSD.org
          Reporter: vvelox@vvelox.net
          Assignee: cy@FreeBSD.org
             Flags: maintainer-feedback?(cy@FreeBSD.org)

Created attachment 237962
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D237962&action=
=3Dedit
git diff for adding the new patch file

pfctl -k <ip> never gets called, meaning the abusing IP can keep it up fast=
 as
long as the state is active. UDP, this is basically indefinitely as long as=
 the
keep the active. For TCP protocols such as HTTPS2  this means as long as the
connection is up, they can continue launching attacks against the server as=
 it
is a multiplexed connection, meaning more than a single request can be made=
 for
a single TCP session.

As it currently stands the current implementation relies on luck or the
assumption that most people are not using it for UDP and for when it comes =
to
TCP it is largely not being used for services with multiplexed connections.

The patch allows the old insecure behaviour to be kept, but makes it secure=
 by
default. Old behavior can be kept via adding no_kick=3Dtrue. This is docume=
nted
in the config as well as explanation of what the choice means for either.


Also while there, document how to set multiple protocols for the protocol
setting.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-267658-7788>