DDoS Security advisory from FreeBSD

Supermule · July 23, 2015, 09:16:13 AM

Hi Franco

This is the issue when SYN ACK'ing the firewall

https://lists.freebsd.org/pipermail/freebsd-announce/2015-July/001655.html

The tests we did.

franco · July 23, 2015, 09:38:41 AM

Hi Brian,

oh, I saw and did not think this was related. Thanks for mentioning this. I was looking in the wrong place then being deeply buried inside the TCP state machine.

Anybody who wants to fix this now, do:

# opnsense-update -r 15.7.4 && reboot

Official release on Friday.

Cheers,
Franco

Supermule · July 23, 2015, 09:48:58 AM

When running spoofed ip's you dont get the FIN.

lucifercipher · July 23, 2015, 10:35:08 AM

So for development branches, a fresh pull of ports git will do the job? What exactly is changed with the 15.7.4? I can just get that component and rebuild the test images without losing changes to my testing trees.

But then again, i can always do freebsd-update fetch and install on the development machine to get the pacthes anyway right Franco?

franco · July 23, 2015, 12:30:55 PM

src.git needs a bump, not ports. Then, with tools.git, do:

# make clean-source source SETTINGS=latest

(I think you were using latest.)

Ports don't have to be recompiled for this particular fix.

DDoS Security advisory from FreeBSD

Supermule

July 23, 2015, 09:16:13 AM

franco

July 23, 2015, 09:38:41 AM #1

Supermule

July 23, 2015, 09:48:58 AM #2

lucifercipher

July 23, 2015, 10:35:08 AM #3 Last Edit: July 23, 2015, 10:39:03 AM by lucifercipher

franco

July 23, 2015, 12:30:55 PM #4