From owner-freebsd-security@FreeBSD.ORG Fri May 2 20:05:05 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 882CEAF2 for ; Fri, 2 May 2014 20:05:05 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E9D415C6 for ; Fri, 2 May 2014 20:05:05 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id BEEA3233C6; Fri, 2 May 2014 13:05:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1399061104; bh=LcmV76U1hgm6uJdYIdRiNCgB4+O1pVdqCC0U4JSw8xw=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=0MkVpKpI9lGCbGfkMYhT6JCooyrZkf5gdMGKzLavXyqfrwIi+F7cnD+1NkDIAk8aL Vrk/bOTyS+LoaJ+x2LNNVnHRmtoAm7r7PAxSQb7hreHKEU2mdKeV9gVkIG6tfuqKgH SZ7l1mZDSxFPWmgR3zBvnrlvDd8TTWthJeJHK8AA= Message-ID: <5363FA70.9040100@delphij.net> Date: Fri, 02 May 2014 13:05:04 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: "Ronald F. Guilmette" , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp References: <3867.1399059743@server1.tristatelogic.com> In-Reply-To: <3867.1399059743@server1.tristatelogic.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2014 20:05:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/02/14 12:42, Ronald F. Guilmette wrote: > OK, so how would one block all incoming *TCP* fragments... you > know... There is no such TCP fragments thing. > in order to render this specific security issue a non-issue? (I > personally am already blocking inbound IP fragments viw ipfw.) Looking at ipfw manual it doesn't seem to have the capability to do TCP reassembling (or so-called traffic normalization), which as far as I know, is a pf-only feature on FreeBSD. If your server is behind a pf-based firewall or some other firewall that can do TCP reassemble, you can do that as well. Please note that TCP reassemble requires more memory and CPU power and do not necessarily reduce the traffic hitting your server behind firewall, so it's a workaround and may be not a good idea for longer term usage. Blocking inbound IP fragments is generally a good safety measure, but keep in mind that doing so could break certain applications that do require it (e.g. don't be surprised if some user behind several layers of firewalls see blank pages from your website) and that needs to be taken into consideration. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTY/pwAAoJEJW2GBstM+nsviwP/3COZbbO5e6dAYWW21bFJp3P 0C2UkroHf1rK1hZHM1lJAGoXOzbzYNKzCWePxOiQD8YpaARU7Q1B7cjlamZQK7Tn 10e3I4++PaIlYQ2Z9CF0GEhdJx96NKiIW0jWB0RdPIHnwA0pQB/YeiAK4tsVuQJM 7pjkNfPGDSsOqDajWxUqTyChsUWgekonpaigRyyk6TJqgRWj/yxT/jggXFqr6InO uzFxnWfgUPYV+mjnBoafmgz8I9JAX90LQb+HnSaf5oWl5MzWR4wT8JYgwyizkXKW MuBd6f1hd7KNOtAdZzh41cXCPUUuPmwkDFlvfDdfPnR1RU3p9UQ7zS/SmgHRBIre n78BDihMDrfA183t1T1ABqT8s8Qgj17YK389yk6+WVFSfKzNwWYWSFHBaA+ZgBsX 5s4Cw/1fWZ1/xK7t6uYrX4FyF2QgcWi61iUJHqIDbcDViDda+PC8p9HWwRG4mih+ WwLw5kvbx+XkuoNAyxGtPUy7HZlkSys926XtEbl8n7Z3miF9Ns3JpA6o5sz9zc9M TzUEJkmgsy6yEFolDIHHTnVjmuSK9SYZv8KFIdHkL0DDvP5lPFovdNSas2TtjDHP LlNBIBZL2h1AF4rWx1ne4OZtbdn5vuaUdCRqlroppRpi8Q4ps/o414aeGs8cJTfc PWT4I9mAPFD+xnN1lI1C =IUgz -----END PGP SIGNATURE-----