Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CVE-2015-1414

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 5 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fireball
      last edited by

      https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc

      Does this apply to Pfsense 2.2?

      Is firewalling  IGMP IPv4 at the WANs adequate defense?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • N Offline
        Nullity
        last edited by

        @fireball:

        https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc

        Does this apply to Pfsense 2.2?

        Is firewalling  IGMP IPv4 at the WANs adequate defense?

        Thanks.

        I assume that firewalling should work. Your link even includes the following quote:  :P

        IV.  Workaround

        Block incoming IGMP packets by protecting your host/networks with a firewall.

        Do you trust you LAN clients?

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • F Offline
          fireball
          last edited by

          Yes, that was why I posted the link  ;)

          Probably best to firewall the LANs too.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • N Offline
            Nullity
            last edited by

            @fireball:

            Yes, that was why I posted the link  ;)

            Probably best to firewall the LANs too.

            Thanks.

            Better safe than sorry.

            I recently switched to a white-list/deny-by-default firewall setup for my LAN and it was a much smoother transition than I expected.

            Please correct any obvious misinformation in my posts.
            -Not a professional; an arrogant ignoramous.

            1 Reply Last reply Reply Quote 0
            • N Offline
              NOYB
              last edited by

              @Nullity:

              I recently switched to a white-list/deny-by-default firewall setup for my LAN …

              What's whitelisted?  Connection in, out, both?  Interested in more details please.
              Thanks

              1 Reply Last reply Reply Quote 0
              • C Offline
                cmb
                last edited by

                It's applicable, and already patched in 2.2.1 snapshots. But its applicability is very limited, where only LAN clients are generally in a position to trigger the issue. Impact is limited to a crash.

                Even with wide-open WAN firewall rules, it's likely only anyone on the same subnet of your ISP as you could trigger the issue.

                1 Reply Last reply Reply Quote 0
                • N Offline
                  Nullity
                  last edited by

                  @NOYB:

                  @Nullity:

                  I recently switched to a white-list/deny-by-default firewall setup for my LAN …

                  What's whitelisted?  Connection in, out, both?  Interested in more details please.
                  Thanks

                  I should have just said I recently started using egress filtering… I need to use learn the commonly used terms.
                  Black-list firewalling means you allow by default (the default for LAN) and must explicitly deny unwanted traffic.
                  White-list firewalling means you deny by default (the default for WAN) and must explicitly allow all traffic.

                  I have LAN and WAN set to deny everything but the traffic I specify. It sounds tedious, but it was much easier than expected. The security and privacy (misconfigured apps are less likely to leak info) improvements are worth the trouble, imo.

                  Please correct any obvious misinformation in my posts.
                  -Not a professional; an arrogant ignoramous.

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    fearnothing
                    last edited by

                    @Nullity:

                    I have LAN and WAN set to deny everything but the traffic I specify. It sounds tedious, but it was much easier than expected. The security and privacy (misconfigured apps are less likely to leak info) improvements are worth the trouble, imo.

                    You also get to see just how spammy some of the stuff on your network really is, if you have logging turned on.

                    My printer seems to think the network is icecream which is badly in need of its UPnP chocolate sprinkles.

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      Nullity
                      last edited by

                      @fearnothing:

                      @Nullity:

                      I have LAN and WAN set to deny everything but the traffic I specify. It sounds tedious, but it was much easier than expected. The security and privacy (misconfigured apps are less likely to leak info) improvements are worth the trouble, imo.

                      You also get to see just how spammy some of the stuff on your network really is, if you have logging turned on.

                      My printer seems to think the network is icecream which is badly in need of its UPnP chocolate sprinkles.

                      lol. Yeah, some iOS devices were leaking some reasonably private information in plain-text. I have a love-hate relationship with UPnP, but I think most of us do.

                      That reminds me… I really need to setup a remote syslog service to send all my logs to.

                      Please correct any obvious misinformation in my posts.
                      -Not a professional; an arrogant ignoramous.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.