-----BEGIN PGP SIGNED MESSAGE----- On Saturday, Mar 16th, Crist J. Clark sent a message to the bugtraq list, with the subject 'TCP Connections to a Broadcast Address on BSD-Based Systems'. Foremost, the NetBSD Security-Officer Team would like to thank Crist for following the bugtraq-recommended proceedure by contacting the affected vendors and giving time to reply before posting. Crist's message did start internal discussion about the issue, and vulnerability testing, but unfortunately, we managed to fail to send Crist a reply. The NetBSD Security-Officer Team is putting additional tools in place to track correspondence, and ensure that this does not happen again. Mail sent to security-officer@netbsd.org should receive a human response within 24 hours. We will release a formal NetBSD Security Advisory for this issue. The Advisory will preceed pullups of code to the NetBSD 1.4 and 1.5 release branches, since a workaround is available without them. Connections to broadcast addresses can be blocked with ipfilter rules, such as: block in quick on fxp0 from any to 192.168.1.0/32 block in quick on fxp0 from any to 192.168.1.255/32 Use rules like these for the case where fxp0 is the interface you desire to block on, and the only address on the interface is in the subnet 192.168.1.0/24. Rules like this should be repeated for each subnet on the interface, for each interface of concern on the host. Lastly, these rules are needed only on a host where it is intended that a particular service is available on some interfaces and not others. Where possible, use a daemon with the facility to bind only to specified interfaces, and add filter rules as a second layer of protection, if desired. We recommend reviewing current filter rules to ensure they cover the intended security model for the networks the host participates in. The NetBSD Security-Officer Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPJo+Hz5Ru2/4N2IFAQFpVQQApbm+4FZKvfmLtaQRv676D7vC/B5ryTVn mnmixN8PmCmVr5596AiCYi3QOXQiV2ofsvNhcTyRqVgoDvcZVFeJBHHAvUqtdPCU zckkQHscjePGf/xqGF3gf2EQYayGXtqphCuMHz75hQfXARjFCGEUVa4B8fpU5zrO JdqB6u3oiiQ= =4XfA -----END PGP SIGNATURE-----
