-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/01/14 12:38, Ronald F. Guilmette wrote: > I also have a question.... > > If one manages a system where (a) all local user accounts are > completely and 100% trustworthy and where (b) one has in place ipfw > rules which reject all incoming packet *fragments* on all > outward-facing interfaces, then is this security problem (relating > to the reassembly queue) an issue at all for said system? Or is it > rather a non-event in such contexts? (a) doesn't matter, systems with only root user can be affected if they provide TCP service. (b) I'm not 100% sure on ipfw details (haven't used it for ~10 years now) but IP fragmentation itself have nothing to do with this issue since it's a different layer. Assuming you can't do TCP reassemble with ipfw, it's still a problem. Cheers, - -- Xin LI <[email protected]> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTY86uAAoJEJW2GBstM+nsz9QQAI33s2CPVNuk1sWZ+OTdmIK9 2lDgJcVCRkDgX0MXph1CPO0NGkrXs8M7Ct3UtP91gagkkwiEZ6zO7jWK81GrEaNC zBbYUyazWUx37mPUzLHf06a0NnvLFKLkJZZMrXfxYlX/BwFArAzsXY0i+JiGzKe3 Yd686PE2k4HU2RdGzm6H0T4eN5TJgNVb0AD4LIsvFfRcNUlqB0E+wrUrMeX6mmbi 3D1RnSjmD4SV5kFsvgiE3DVpTujwcfyYOQeJyEA7GTaBx/ZNHUI1GOCkCJ34SKzW 5qHwOKwFBPTmiFCmFxALrGv9cHM4M5iykvAqdbAM3tuPyQIUBVRLBCH/BtjzIj6n tV6a7kHVNYamY8HDL3B9BLb/9EtVVNJxPLWWnOwpnhTrxBj79oxe+DCXZPCpYiy6 Od9ljRgS2GozsA0poUo3GNO7zr+mkegLVvg++GuZN2tIsOqWHhKDNQrzOxc27TP0 OHfQXkU6k34SgcVyfjSRKXUdt6ZCJ66FCZHZA7NpxDk2gyuFrYUiFXEJh90qs9QD AUpXXEznNnId+OMEnwiCb5t+4o7TvMsra0XaZfS9+Q87U0owKUT0jOBt054QYtsn IkyiyyjjB1xWtxgICuuBwK9B7D75D4if6z68pkHUsd5jptO84S7auXF1qTYlonPC LG+xvLDPTbXErzcpK+om =zQbC -----END PGP SIGNATURE----- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"