FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
Ian Smith
smithi at nimnet.asn.au
Sat May 3 03:54:10 UTC 2014
On Fri, 2 May 2014 13:05:04 -0700, Xin Li wrote:
> On 05/02/14 12:42, Ronald F. Guilmette wrote:
> > OK, so how would one block all incoming *TCP* fragments... you
> > know...
>
> There is no such TCP fragments thing.
>
> > in order to render this specific security issue a non-issue? (I
> > personally am already blocking inbound IP fragments viw ipfw.)
>
> Looking at ipfw manual it doesn't seem to have the capability to do
> TCP reassembling (or so-called traffic normalization), which as far as
> I know, is a pf-only feature on FreeBSD. If your server is behind a
> pf-based firewall or some other firewall that can do TCP reassemble,
> you can do that as well.
man ipfw
/reass
Or is that something else? I haven't used this myself.
> Please note that TCP reassemble requires more memory and CPU power and
> do not necessarily reduce the traffic hitting your server behind
> firewall, so it's a workaround and may be not a good idea for longer
> term usage.
>
> Blocking inbound IP fragments is generally a good safety measure, but
> keep in mind that doing so could break certain applications that do
> require it (e.g. don't be surprised if some user behind several layers
> of firewalls see blank pages from your website) and that needs to be
> taken into consideration.
I've always allowed frags, as per the example rulesets in rc.firewall.
I only recall seeing them on DNS responses from zen.spamhaus.org, where
I see plenty of these after a resetlog before the logging limit kicks
in. I doubt I'd be getting rid of ~90% of incoming spam without; eg:
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18125:853 at 1480)
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18126:903 at 1480)
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18128:1043 at 1480)
Apr 17 19:52:29 sola kernel: ipfw: 20200 Accept UDP myISP mybox in via ng0 (frag 18129:147 at 1480)
cheers, Ian
More information about the freebsd-security
mailing list