On Wed, Apr 09, 2014 at 01:20:35PM +0100, Fabien Bourdaire wrote: > Following up on the CVE-2014-0160 vulnerability, heartbleed. We've > created some iptables rules to block all heartbeat queries using the > very powerful u32 module. > > The rules allow you to mitigate systems that can't yet be patched by > blocking ALL the heartbeat handshakes. We also like the capability to > log external scanners :) ...
> # Block rules > iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ > "52=0x18030000:0x1803FFFF" -j DROP Hmm I'm not an expert on SSL or iptables, but you seem to be making several assumptions there, like: * IPv4 * no IP options in packet * no TCP options in packet * packet not fragmented * heartbeat message at start of packet A hacker could easily deliberately violate any or all of those assumptions in order to avoid your rules. Not to mention of course that not 'heartbeat' messages are not inherently evil, only the malformed ones are.
