Eugene Grosbein
2020-Apr-21 22:50 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw
22.04.2020 5:15, Ed Maste wrote:>>> IV. Workaround >>> >>> No workaround is available. Systems not using the ipfw firewall are >>> not vulnerable. >> >> This is not true. The problem affects only seldom used rules matching TCP packets >> by list of TCP options (rules with "tcpoptions" keyword) and/or by TCP MSS size >> (rules with matching "tcpmss" keyword, don't mix with "tcp-setmss" action keyword). > > I believe this is correct; what about this statement: > > No workaround is available. Systems not using the ipfw firewall, and > systems that use the ipfw firewall but without any rules using "tcpoptions" > or "tcpmss" keywords, are not affected.Isn't removing rules with "tcpoptions/tcpmss" considered as work-around? Such rules may be replaced with "ipfw netgraph" rules and processing TCP options with NETGRAPH node ng_bpf(4). Seems as work-around to me.
Ed Maste
2020-Apr-21 23:55 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw
On Tue, 21 Apr 2020 at 18:50, Eugene Grosbein <eugen at grosbein.net> wrote:> > > I believe this is correct; what about this statement: > > > > No workaround is available. Systems not using the ipfw firewall, and > > systems that use the ipfw firewall but without any rules using "tcpoptions" > > or "tcpmss" keywords, are not affected. > > Isn't removing rules with "tcpoptions/tcpmss" considered as work-around? > > Such rules may be replaced with "ipfw netgraph" rules and processing TCP options > with NETGRAPH node ng_bpf(4). Seems as work-around to me.Fair enough, although I don't want to provide that as an official suggestion in the advisory without testing and understanding the caveats, so probably just removing the "No workaround is available." So perhaps: Systems not using the ipfw firewall, and systems that use the ipfw firewall but with no rules using "tcpoptions" or "tcpmss" keywords, are not affected.