Re: [Shorewall-users] tcp_sack exploit

Thu, 20 Jun 2019 14:20:19 -0700 

Many thanks Tom 😊

-----Original Message-----
From: Tom Eastep <teas...@shorewall.net> 
Sent: Friday, 21 June 2019 7:16 AM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] tcp_sack exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On 6/19/19 3:21 PM, Steve Bluck wrote:
> Hi All, I'm not in a position to patch some public servers but I can 
> add firewall rules. The original Netflix report 
> (https://github.com/Netflix/security-bulletins/blob/master/advisories/
> third-party/2019-001.md_
> ) has a workaround to block connections with low MSSs for iptables but 
> I'm at a loss to translate to Shorewall. The filters are:
> iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP ip6tables -A 
> INPUT -p tcp -m tcpmss --mss 1:500 -j DROP Would anybody be able to 
> let me know how to craft as a Shorewall rule?

DROP    net     all     ;;+     -p tcp -m tcpmss --mss 1:500

Place that rule in both /etc/shorewall/rules and /etc/shorewall6/rules.

- -Tom
- -- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl0L23UACgkQluaz8kI6
TRBP5w//cnz6E0+NGdjJNeHQMLfCF6Azi1uIIq86/H3yyN1vgyhjN8kIgGJPnq6t
v34PminLbndfkbB5rMM3FcMfBDiVx2s9BRbgr2N94oYsIh7frfKJ0wuu4pBapRYn
bjczBFvVkhaxbpNj5bDdbS84GYcbtOHCEZme7IaO1XjKxTKLRpeqsfICeQt9kyHP
FSXNeouNSrghDZV4WLr2Rr1lE6yp7v/ppof4OM+5CrkCwBtirK7PEYDBDbGjCHPR
re6AFToJK87Vur1G7QmtEI3AWwRr39V5CFmrS8F7YIxU3jL7rdC676Vs9HwW0Jaa
QAYKMKSTEwUW4j4Y87t1DZXNiXa2Gc0aKV7Yx7UrLXlsxCzkKLpWpZz8lL8abIBF
km18c2DsWaXY8SktcnkmJWfJhBeJXjDNK7wVE7ZLdrZvbDgI0Y8BlhTaZRsanfZd
1m+bB30L+4V0tgbQuM5UyNL/QSuouatA+wCpqbsj8ml7D1BdJbc62KA9149nzeND
o8IpeJgwfw1JTOd5Fnf/+9z8joRdO27yHRwftBA553m0Bh1ufaTtF3jQPz+6hF09
WNcMp1GOUhNE46Mod3aN4lp8WkMNXsTeyVk2MLSMlpumikeKipHGE0jkvcXCbW+8
yfz37oMiSZScm+n4tgCEaTxgY3VyG0oG8iI6M83cR0PIaZt0sW4=
=E0s6
-----END PGP SIGNATURE-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to