FreeBSD Security Advisory FreeBSD-SA-14:08.tcp

Ian Smith smithi at nimnet.asn.au
Sat May 3 03:54:10 UTC 2014 

On Fri, 2 May 2014 13:05:04 -0700, Xin Li wrote:
 > On 05/02/14 12:42, Ronald F. Guilmette wrote:
 > > OK, so how would one block all incoming *TCP* fragments... you
 > > know...
 > 
 > There is no such TCP fragments thing.
 > 
 > > in order to render this specific security issue a non-issue?  (I
 > > personally am already blocking inbound IP fragments viw ipfw.)
 > 
 > Looking at ipfw manual it doesn't seem to have the capability to do
 > TCP reassembling (or so-called traffic normalization), which as far as
 > I know, is a pf-only feature on FreeBSD.  If your server is behind a
 > pf-based firewall or some other firewall that can do TCP reassemble,
 > you can do that as well.

man ipfw
/reass

Or is that something else?  I haven't used this myself.

 > Please note that TCP reassemble requires more memory and CPU power and
 > do not necessarily reduce the traffic hitting your server behind
 > firewall, so it's a workaround and may be not a good idea for longer
 > term usage.
 > 
 > Blocking inbound IP fragments is generally a good safety measure, but
 > keep in mind that doing so could break certain applications that do
 > require it (e.g. don't be surprised if some user behind several layers
 > of firewalls see blank pages from your website) and that needs to be
 > taken into consideration.

I've always allowed frags, as per the example rulesets in rc.firewall.  
I only recall seeing them on DNS responses from zen.spamhaus.org, where 
I see plenty of these after a resetlog before the logging limit kicks 
in.  I doubt I'd be getting rid of ~90% of incoming spam without; eg:

Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18125:853 at 1480)
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18126:903 at 1480)
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18128:1043 at 1480)
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18129:147 at 1480)

cheers, Ian

More information about the freebsd-security mailing list