[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:07.pf
Brian A. Seklecki
lavalamp at spiritual-machines.org
Wed Jan 25 07:14:26 PST 2006
> III. Impact
> By sending carefully crafted sequence of IP packet fragments, a remote
> attacker can cause a system running pf with a ruleset containing a
> 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash.
> IV. Workaround
> Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules
> on systems running pf. In most cases, such rules can be replaced by
> 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for
Just to clarify on the syntax, since it's not actually mentioned in
Per the PF FAQ, a rule:
"scrub in all" or "scrub all"
Implies "scrub in all fragment reassemble" as a default argument/flags to
"scrub" when not are specified, and none of the other scrubbing options
(no-df, random-id, etc.). This per observation of "pfctl -s all":
$ sudo grep -i scrub /etc/pf.conf
scrub in all
$ sudo pfctl -s all | grep -i scrub
scrub in all fragment reassemble
To the credit of the FAQ Author, it does state "This is the default
behavior when no fragment option is specified." ... but that still begs
the question: "What are the default scrubbing options, other than fragment
reassembly, when none are specified?"
Might be useful to mention these things in the FAQ and the advisory.
> more details.
> Systems which do not use pf, or use pf but do not use the aforementioned
> rules, are not affected by this issue.
More information about the freebsd-questions