FreeBSD Security Advisory FreeBSD-SA-15:04.igmp (fwd) - ipfw fix?
Karl Pielorz
kpielorz_lst at tdx.co.uk
Thu Feb 26 09:04:21 UTC 2015
--On 25 February 2015 18:21 +0100 Remko Lodder <remko at FreeBSD.org> wrote:
> This suggests that you can filter the traffic:
>
> Block incoming IGMP packets by protecting your host/networks with a
> firewall. (Quote from the SA).
It does, but it doesn't specifically say whether ipfw on *the host that's
being protected* is sufficient
I'd imagine in some scenarios that won't work (because the host simply
receiving a malformed packet would cause issues) - so was just getting it
clarified that an ipfw rule on the vulnerable *host itself* blocking igmp
(any to any) is sufficient in this case.
i.e. You don't need a 'external' firewall sat in front of the hosts to do
that job.
-Karl
More information about the freebsd-security
mailing list