mailing list archives
Re: TCP Connections to a Broadcast Address on BSD-Based Systems
From: David Maxwell <david () fundy net>
Date: Thu, 21 Mar 2002 16:11:45 -0400
-----BEGIN PGP SIGNED MESSAGE-----
On Saturday, Mar 16th, Crist J. Clark sent a message to the bugtraq
list, with the subject 'TCP Connections to a Broadcast Address on
Foremost, the NetBSD Security-Officer Team would like to thank Crist for
following the bugtraq-recommended proceedure by contacting the affected
vendors and giving time to reply before posting. Crist's message did
start internal discussion about the issue, and vulnerability testing,
but unfortunately, we managed to fail to send Crist a reply.
The NetBSD Security-Officer Team is putting additional tools in place to
track correspondence, and ensure that this does not happen again. Mail
sent to security-officer () netbsd org should receive a human response
within 24 hours.
We will release a formal NetBSD Security Advisory for this issue. The
Advisory will preceed pullups of code to the NetBSD 1.4 and 1.5 release
branches, since a workaround is available without them. Connections to
broadcast addresses can be blocked with ipfilter rules, such as:
block in quick on fxp0 from any to 192.168.1.0/32
block in quick on fxp0 from any to 192.168.1.255/32
Use rules like these for the case where fxp0 is the interface you desire
to block on, and the only address on the interface is in the subnet
192.168.1.0/24. Rules like this should be repeated for each subnet on
the interface, for each interface of concern on the host.
Lastly, these rules are needed only on a host where it is intended that
a particular service is available on some interfaces and not others.
Where possible, use a daemon with the facility to bind only to specified
interfaces, and add filter rules as a second layer of protection, if
We recommend reviewing current filter rules to ensure they cover the
intended security model for the networks the host participates in.
The NetBSD Security-Officer Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----