OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: Supermule on July 23, 2015, 09:16:13 am

Title: DDoS Security advisory from FreeBSD
Post by: Supermule on July 23, 2015, 09:16:13 am

Hi Franco

This is the issue when SYN ACK'ing the firewall

https://lists.freebsd.org/pipermail/freebsd-announce/2015-July/001655.html

The tests we did.

Title: Re: DDoS Security advisory from FreeBSD
Post by: franco on July 23, 2015, 09:38:41 am

Hi Brian,

oh, I saw and did not think this was related. Thanks for mentioning this. I was looking in the wrong place then being deeply buried inside the TCP state machine.

Anybody who wants to fix this now, do:

# opnsense-update -r 15.7.4 && reboot

Official release on Friday.


Cheers,
Franco

Title: Re: DDoS Security advisory from FreeBSD
Post by: Supermule on July 23, 2015, 09:48:58 am

When running spoofed ip's you dont get the FIN.

Title: Re: DDoS Security advisory from FreeBSD
Post by: lucifercipher on July 23, 2015, 10:35:08 am

So for development branches, a fresh pull of ports git will do the job? What exactly is changed with the 15.7.4? I can just get that component and rebuild the test images without losing changes to my testing trees.

But then again, i can always do freebsd-update fetch and install on the development machine to get the pacthes anyway right Franco?

Title: Re: DDoS Security advisory from FreeBSD
Post by: franco on July 23, 2015, 12:30:55 pm

src.git needs a bump, not ports. Then, with tools.git, do:

# make clean-source source SETTINGS=latest

(I think you were using latest.)

Ports don't have to be recompiled for this particular fix.