Hi, > FYI: https://www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/
we use the follwoing action to mitigate it. (According to https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/block-low-mss/iptables.txt) ``` # file: /etc/shorewall/action.SACK # Drop SYN packets with small MSS to mitigate SACK attacks ?format 2 DEFAULTS DROP ?begin perl; use Shorewall::Config; use Shorewall::Rules; my ( $action ) = get_action_params( 1 ); set_comment ( 'Drop SYN packets with small MSS to mitigate SACK attacks' ); perl_action_tcp_helper( $action, '-m tcpmss --mss 1:500' ); 1; ?end perl; ``` ``` # file: /etc/shorewall/actions SACK inline ``` ``` # file: /etc/shorewall/rules ?SECTION NEW SACK(DROP) all all ``` Regards, Thomas _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
