[170832] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: CVE-2014-0160 mitigation using iptables

daemon@ATHENA.MIT.EDU (Nick Hilliard)
Thu Apr 10 06:13:45 2014

X-Envelope-To: nanog@nanog.org
Date: Thu, 10 Apr 2014 11:12:40 +0100
From: Nick Hilliard <nick@foobar.org>
To: Fabien Bourdaire <lists@ecsc.co.uk>, nanog@nanog.org
In-Reply-To: <53451BE8.8060609@ecsc.co.uk>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

On 09/04/2014 11:07, Fabien Bourdaire wrote:
> Following up on the CVE-2014-0160 vulnerability, heartbleed. We've
> created some iptables rules to block all heartbeat queries using the
> very powerful u32 module.

as someone pointed out on the UKNOF mailing list yesterday, you make a
number of assumptions in this ruleset which are not necessarily valid.

Please do not claim that this ruleset blocks all heartbeat queries because
it does not.

Nick


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[170832] in North American Network Operators' Group

Re: CVE-2014-0160 mitigation using iptables

daemon@ATHENA.MIT.EDU (Nick Hilliard)Thu Apr 10 06:13:45 2014

daemon@ATHENA.MIT.EDU (Nick Hilliard)
Thu Apr 10 06:13:45 2014