On Fri, Apr 11, 2014 at 7:39 PM, Angus Scott-Fleming <[email protected]> wrote: > This was on the bugtraq list on Wednesday. It would be a > Good Thing if we could block heartbeat queries to > internal devices which may not be patched using something > like this ...
That doesn't really work. It'll block some legit traffic, and is extremely easy to evade. Other issues with it discussed on Full Disclosure. pf doesn't have the ability to filter the way iptables is in this config, but I wouldn't recommend it even if it did. Security work-arounds are terrible to begin with, but if you're going to use one, there is a half-decent answer. A patched reverse proxy is the answer if you have servers that must be accessible to untrusted networks, but can't be patched immediately for whatever reason. There should be no reason not to patch at this point, everything that's a reasonable choice for an Internet-reachable server has had patches available for days. Effectively blocking this at the firewall/network level is impossible. _______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
