Quote from: BigFreddy on Today at 09:07:01 AM2) Does reinstalling the firewall [...] change SSH keys?
Quote from: newsense on Today at 09:25:48 AMApplying the mitigation will suffice until 26.1.6 arrives, which may not happen next week if nothing else more serious needs patching in the meantime.
Quote from: FreeBSDURLIV. Workaround
The mbuf leak can be mitigated by not rate limiting the sending of challenge
ACKs. This can be achieved with immediate effect by setting the
net.inet.tcp.ack_war_timewindow sysctl to 0:
sysctl net.inet.tcp.ack_war_timewindow=0
This mitigation does trade off the leaking of mbufs against additional
CPU/resource cost associated with responding to all challenge ACK eligible
packets received for established TCP connections.
To make this change persistent across reboots, add it to /etc/sysctl.conf.
Quote from: franco on Today at 09:31:58 AMThe timing is unfortunate. We decided to hotfix this for business users later today. The full batch of SA's includes more changes to pf than necessary (or even relevant to us) so this it has to wait for 26.1.6 or you can build a kernel from https://github.com/opnsense/src/commits/stable/26.1/ directly which has all the commits.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
ECDSA Key here
Please contact your system administrator.
Add correct key in system path here/known_hosts to get rid of this message.
Offending ECDSA key in system path here/known_hosts:1
remove with:
command to remove it
ECDSA host key for IP Here has changed and you have requested strict checking.
Host key verification failed.
pkg install opnsense-filterlogman opnsense-filterlog