[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw
Eugene Grosbein
eugen at grosbein.net
Wed Apr 22 09:07:51 UTC 2020
22.04.2020 6:55, Ed Maste wrote:
> On Tue, 21 Apr 2020 at 18:50, Eugene Grosbein <eugen at grosbein.net> wrote:
>>
>>> I believe this is correct; what about this statement:
>>>
>>> No workaround is available. Systems not using the ipfw firewall, and
>>> systems that use the ipfw firewall but without any rules using "tcpoptions"
>>> or "tcpmss" keywords, are not affected.
>>
>> Isn't removing rules with "tcpoptions/tcpmss" considered as work-around?
>>
>> Such rules may be replaced with "ipfw netgraph" rules and processing TCP options
>> with NETGRAPH node ng_bpf(4). Seems as work-around to me.
>
> Fair enough, although I don't want to provide that as an official
> suggestion in the advisory without testing and understanding the
> caveats, so probably just removing the "No workaround is available."
>
> So perhaps:
> Systems not using the ipfw firewall, and systems that use the ipfw firewall
> but with no rules using "tcpoptions" or "tcpmss" keywords, are not affected.
I like it.
More information about the freebsd-security
mailing list