[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw
Ed Maste
emaste at freebsd.org
Tue Apr 21 23:55:33 UTC 2020
On Tue, 21 Apr 2020 at 18:50, Eugene Grosbein <eugen at grosbein.net> wrote:
>
> > I believe this is correct; what about this statement:
> >
> > No workaround is available. Systems not using the ipfw firewall, and
> > systems that use the ipfw firewall but without any rules using "tcpoptions"
> > or "tcpmss" keywords, are not affected.
>
> Isn't removing rules with "tcpoptions/tcpmss" considered as work-around?
>
> Such rules may be replaced with "ipfw netgraph" rules and processing TCP options
> with NETGRAPH node ng_bpf(4). Seems as work-around to me.
Fair enough, although I don't want to provide that as an official
suggestion in the advisory without testing and understanding the
caveats, so probably just removing the "No workaround is available."
So perhaps:
Systems not using the ipfw firewall, and systems that use the ipfw firewall
but with no rules using "tcpoptions" or "tcpmss" keywords, are not affected.
More information about the freebsd-security
mailing list