[Bug 267658] security/py-fail2ban: Fix PF failing to be able to ban stuff using for example UDP
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 09 Nov 2022 04:52:18 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267658 Bug ID: 267658 Summary: security/py-fail2ban: Fix PF failing to be able to ban stuff using for example UDP Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: cy@FreeBSD.org Reporter: firstname.lastname@example.org Assignee: cy@FreeBSD.org Flags: maintainer-feedback?(cy@FreeBSD.org) Created attachment 237962 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237962&action=edit git diff for adding the new patch file pfctl -k <ip> never gets called, meaning the abusing IP can keep it up fast as long as the state is active. UDP, this is basically indefinitely as long as the keep the active. For TCP protocols such as HTTPS2 this means as long as the connection is up, they can continue launching attacks against the server as it is a multiplexed connection, meaning more than a single request can be made for a single TCP session. As it currently stands the current implementation relies on luck or the assumption that most people are not using it for UDP and for when it comes to TCP it is largely not being used for services with multiplexed connections. The patch allows the old insecure behaviour to be kept, but makes it secure by default. Old behavior can be kept via adding no_kick=true. This is documented in the config as well as explanation of what the choice means for either. Also while there, document how to set multiple protocols for the protocol setting. -- You are receiving this mail because: You are the assignee for the bug.