22.04.2020 5:15, Ed Maste wrote: >>> IV. Workaround >>> >>> No workaround is available. Systems not using the ipfw firewall are >>> not vulnerable. >> >> This is not true. The problem affects only seldom used rules matching TCP >> packets >> by list of TCP options (rules with "tcpoptions" keyword) and/or by TCP MSS >> size >> (rules with matching "tcpmss" keyword, don't mix with "tcp-setmss" action >> keyword). > > I believe this is correct; what about this statement: > > No workaround is available. Systems not using the ipfw firewall, and > systems that use the ipfw firewall but without any rules using "tcpoptions" > or "tcpmss" keywords, are not affected.
Isn't removing rules with "tcpoptions/tcpmss" considered as work-around? Such rules may be replaced with "ipfw netgraph" rules and processing TCP options with NETGRAPH node ng_bpf(4). Seems as work-around to me. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
