CVE-2015-1414

fireball

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc

Does this apply to Pfsense 2.2?

Is firewalling  IGMP IPv4 at the WANs adequate defense?

Thanks.

Nullity

@fireball:

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc

Does this apply to Pfsense 2.2?

Is firewalling  IGMP IPv4 at the WANs adequate defense?

Thanks.

I assume that firewalling should work. Your link even includes the following quote:  :P

IV.  Workaround

Block incoming IGMP packets by protecting your host/networks with a firewall.

Do you trust you LAN clients?

fireball

Yes, that was why I posted the link  ;)

Probably best to firewall the LANs too.

Thanks.

Nullity

@fireball:

Yes, that was why I posted the link  ;)

Probably best to firewall the LANs too.

Thanks.

Better safe than sorry.

I recently switched to a white-list/deny-by-default firewall setup for my LAN and it was a much smoother transition than I expected.

NOYB

@Nullity:

I recently switched to a white-list/deny-by-default firewall setup for my LAN …

What's whitelisted?  Connection in, out, both?  Interested in more details please.
Thanks

cmb

It's applicable, and already patched in 2.2.1 snapshots. But its applicability is very limited, where only LAN clients are generally in a position to trigger the issue. Impact is limited to a crash.

Even with wide-open WAN firewall rules, it's likely only anyone on the same subnet of your ISP as you could trigger the issue.

Nullity

@NOYB:

@Nullity:

I recently switched to a white-list/deny-by-default firewall setup for my LAN …

What's whitelisted?  Connection in, out, both?  Interested in more details please.
Thanks

I should have just said I recently started using egress filtering… I need to use learn the commonly used terms.
Black-list firewalling means you allow by default (the default for LAN) and must explicitly deny unwanted traffic.
White-list firewalling means you deny by default (the default for WAN) and must explicitly allow all traffic.

I have LAN and WAN set to deny everything but the traffic I specify. It sounds tedious, but it was much easier than expected. The security and privacy (misconfigured apps are less likely to leak info) improvements are worth the trouble, imo.

fearnothing

@Nullity:

I have LAN and WAN set to deny everything but the traffic I specify. It sounds tedious, but it was much easier than expected. The security and privacy (misconfigured apps are less likely to leak info) improvements are worth the trouble, imo.

You also get to see just how spammy some of the stuff on your network really is, if you have logging turned on.

My printer seems to think the network is icecream which is badly in need of its UPnP chocolate sprinkles.

Nullity

@fearnothing:

@Nullity:

I have LAN and WAN set to deny everything but the traffic I specify. It sounds tedious, but it was much easier than expected. The security and privacy (misconfigured apps are less likely to leak info) improvements are worth the trouble, imo.

You also get to see just how spammy some of the stuff on your network really is, if you have logging turned on.

My printer seems to think the network is icecream which is badly in need of its UPnP chocolate sprinkles.

lol. Yeah, some iOS devices were leaking some reasonably private information in plain-text. I have a love-hate relationship with UPnP, but I think most of us do.

That reminds me… I really need to setup a remote syslog service to send all my logs to.