Maybe a blog post about this? -- Jim
> On Sep 18, 2014, at 10:01, Jim Pingle <[email protected]> wrote: > >> On 9/18/2014 8:55 AM, Martin Fuchs wrote: >> Does CVE-2004-0230 affect pfSense 2.1.5 ? > > As Vick mentions, practically the answer is 'no'. > > There are some rare cases when it might, however. It would require: > > 1. Disabled pf (System > Advanced, Firewall/NAT tab, check "Disable all > packet filtering") > 1a. Or the default rules were replaced by interface and floating rules > in every direction set to 'no state' > > 2. The firewall is still reachable by the attacker > > 3. Connections are being made _to_ pfSense (not _through_ pfSense), e.g. > local services such as the GUI, packages such as haproxy or squid, etc, > *NOT* WAN-to-LAN or LAN-to-DMZ type connections. > > If all of the above are true then it may be susceptible to the attack > described in the FreeBSD SA. > > I don't think I have ever witnessed a setup that met all of those > criteria, and even those that could meet the criteria wouldn't > necessarily have long-lived connections for which such a TCP session > reset would have any meaningful impact. > > We will have the fix in 2.2 but I'm not sure if there will be another > 2.1.x release at this time, but we'll see what happens. > > Jim > _______________________________________________ > List mailing list > [email protected] > https://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
