Justin, The article doesn't say which option causes this, so its hard to tell, once you do find this info though, you might be able to do something with the pf.os file by crafting a custom entry (as far as I can tell this is the only way to match based on the tcp option field), but I've never messed with this, maybe someone can chime in here?
I'm not aware of a way to match or block a packet based on the tcp options field which is most likely what you'd need to do this. Make sure you have rules on these routers as restrictive as possible in the mean time to mitigate your risk. It looks like their (Junipers) policy is to only tell customers with support contracts what the specific option is that causes this. J On Thu, Jan 7, 2010 at 9:34 AM, Justin Credible < mista.justin.credi...@gmail.com> wrote: > Hi There, > > We have OpenBSD routers running OpenBGPD at the edge of our network > and behind that we use Juniper Firewalls running JunOS which need to > be patched due to: > > http://ptresearch.blogspot.com/2010/01/juniper-junos-remote-kernel-crash-flaw.html > > Since we have so many Junipers it will take a while to patch them and > will be faster for us to add some mitigating rules on the OpenBSD > routers, I am wondering if anyone knows of a quick and simple rule > that we can Implement on OpenBSD to combat this issue? > > Thanks and regards, > > Justin
