Text only | Text with Images

OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: Supermule on July 23, 2015, 09:16:13 AM

Title: DDoS Security advisory from FreeBSD
Post by: Supermule on July 23, 2015, 09:16:13 AM
Hi Franco

This is the issue when SYN ACK'ing the firewall

https://lists.freebsd.org/pipermail/freebsd-announce/2015-July/001655.html

The tests we did.
Title: Re: DDoS Security advisory from FreeBSD
Post by: franco on July 23, 2015, 09:38:41 AM
Hi Brian,

oh, I saw and did not think this was related. Thanks for mentioning this. I was looking in the wrong place then being deeply buried inside the TCP state machine.

Anybody who wants to fix this now, do:

# opnsense-update -r 15.7.4 && reboot

Official release on Friday.


Cheers,
Franco
Title: Re: DDoS Security advisory from FreeBSD
Post by: Supermule on July 23, 2015, 09:48:58 AM
When running spoofed ip's you dont get the FIN.
Title: Re: DDoS Security advisory from FreeBSD
Post by: lucifercipher on July 23, 2015, 10:35:08 AM
So for development branches, a fresh pull of ports git will do the job? What exactly is changed with the 15.7.4? I can just get that component and rebuild the test images without losing changes to my testing trees.

But then again, i can always do freebsd-update fetch and install on the development machine to get the pacthes anyway right Franco?
Title: Re: DDoS Security advisory from FreeBSD
Post by: franco on July 23, 2015, 12:30:55 PM
src.git needs a bump, not ports. Then, with tools.git, do:

# make clean-source source SETTINGS=latest

(I think you were using latest.)

Ports don't have to be recompiled for this particular fix.
Text only | Text with Images