[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw
Eugene Grosbein
eugen at grosbein.net
Tue Apr 21 22:50:32 UTC 2020
22.04.2020 5:15, Ed Maste wrote:
>>> IV. Workaround
>>>
>>> No workaround is available. Systems not using the ipfw firewall are
>>> not vulnerable.
>>
>> This is not true. The problem affects only seldom used rules matching TCP packets
>> by list of TCP options (rules with "tcpoptions" keyword) and/or by TCP MSS size
>> (rules with matching "tcpmss" keyword, don't mix with "tcp-setmss" action keyword).
>
> I believe this is correct; what about this statement:
>
> No workaround is available. Systems not using the ipfw firewall, and
> systems that use the ipfw firewall but without any rules using "tcpoptions"
> or "tcpmss" keywords, are not affected.
Isn't removing rules with "tcpoptions/tcpmss" considered as work-around?
Such rules may be replaced with "ipfw netgraph" rules and processing TCP options
with NETGRAPH node ng_bpf(4). Seems as work-around to me.
More information about the freebsd-security
mailing list