Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
On Fri, 2 May 2014 13:05:04 -0700, Xin Li wrote:
> On 05/02/14 12:42, Ronald F. Guilmette wrote:
> > OK, so how would one block all incoming *TCP* fragments... you
> > know...
>
> There is no such TCP fragments thing.
>
> > in order to render this specific security issue a non-issue? (I
> > personally am already blocking inbound IP fragments viw ipfw.)
>
> Looking at ipfw manual it doesn't seem to have the capability to do
> TCP reassembling (or so-called traffic normalization), which as far as
> I know, is a pf-only feature on FreeBSD. If your server is behind a
> pf-based firewall or some other firewall that can do TCP reassemble,
> you can do that as well.
man ipfw
/reass
Or is that something else? I haven't used this myself.
> Please note that TCP reassemble requires more memory and CPU power and
> do not necessarily reduce the traffic hitting your server behind
> firewall, so it's a workaround and may be not a good idea for longer
> term usage.
>
> Blocking inbound IP fragments is generally a good safety measure, but
> keep in mind that doing so could break certain applications that do
> require it (e.g. don't be surprised if some user behind several layers
> of firewalls see blank pages from your website) and that needs to be
> taken into consideration.
I've always allowed frags, as per the example rulesets in rc.firewall.
I only recall seeing them on DNS responses from zen.spamhaus.org, where
I see plenty of these after a resetlog before the logging limit kicks
in. I doubt I'd be getting rid of ~90% of incoming spam without; eg:
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18125:853@1480)
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18126:903@1480)
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18128:1043@1480)
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18129:147@1480)
cheers, Ian
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 16 之 21 篇):