After implementing this mangle rule yesterday, today I have:
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
109K 4632K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcpmss match !536:65535 /* TCP
SACK */
I have an older version of Shorewall:
shorewall-4.6.11.1-2.fc22.noarch
I found this article (#2. Firewall Rules):
https://isc.sans.edu/forums/diary/What+You+Need+To+Know+About+TCP+SACK+Panic/25046/
I add this to /etc/shorewall/mangle:
?COMMENT TCP SACK
INLINE:P - -
Many thanks Tom 😊
-Original Message-
From: Tom Eastep
Sent: Friday, 21 June 2019 7:16 AM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] tcp_sack exploit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 6/19/19 3:21 PM, Steve Bluck wrote:
> Hi All,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 6/19/19 3:21 PM, Steve Bluck wrote:
> Hi All, I'm not in a position to patch some public servers but I
> can add firewall rules. The original Netflix report
> (https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019
Hi All,
I'm not in a position to patch some public servers but I can add firewall
rules. The original Netflix report
(https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md_
) has a workaround to block connections with low MSSs for iptables but I'm at
a los
Hi,
> FYI: https://www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/
we use the follwoing action to mitigate it.
(According to
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/block-low-mss/iptables.txt)
```
# file: /etc/shorewall/action.SACK
FYI: https://www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
