Date: Wed, 22 Apr 2020 05:50:12 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Ed Maste <emaste@freebsd.org>, "Andrey V. Elsukov" <ae@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw Message-ID: <f43a2478-31e4-6c82-a84e-eace2b7b416b@grosbein.net> In-Reply-To: <CAPyFy2Bx6hM0FdF2xHPrpzfCDo%2B5JRtetxQs2_S9zy=V2FEmew@mail.gmail.com> References: <20200421165514.C676C1CB78@freefall.freebsd.org> <54bfc0f6-be4c-349d-df87-8ba507803a04@grosbein.net> <CAPyFy2Bx6hM0FdF2xHPrpzfCDo%2B5JRtetxQs2_S9zy=V2FEmew@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
22.04.2020 5:15, Ed Maste wrote: >>> IV. Workaround >>> >>> No workaround is available. Systems not using the ipfw firewall are >>> not vulnerable. >> >> This is not true. The problem affects only seldom used rules matching TCP packets >> by list of TCP options (rules with "tcpoptions" keyword) and/or by TCP MSS size >> (rules with matching "tcpmss" keyword, don't mix with "tcp-setmss" action keyword). > > I believe this is correct; what about this statement: > > No workaround is available. Systems not using the ipfw firewall, and > systems that use the ipfw firewall but without any rules using "tcpoptions" > or "tcpmss" keywords, are not affected. Isn't removing rules with "tcpoptions/tcpmss" considered as work-around? Such rules may be replaced with "ipfw netgraph" rules and processing TCP options with NETGRAPH node ng_bpf(4). Seems as work-around to me.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f43a2478-31e4-6c82-a84e-eace2b7b416b>