FreeBSD pf Duplicate Rule Ignoring Vulnerability

A vulnerability in the pf packet filtering system in FreeBSD has been identified, where certain rules are silently ignored, leading to potential over-blocking or under-blocking of network traffic. This issue affects FreeBSD versions 14.x and 15.0, with the problem arising from a regression in how rules containing address ranges were hashed. Only the first rule in a set of duplicates is loaded, causing subsequent similar rules to be dropped. The vulnerability can also impact rules using certain action keywords, although this is less likely.

Impact

The vulnerability can cause pf to overlook important rules, disrupting the intended traffic management and potentially allowing unwanted traffic through or blocking necessary connections.

Remediation

Users can update their FreeBSD system to a version that includes the patch for this vulnerability. Instructions for updating via the pkg utility, freebsd-update utility, or by applying a source code patch are available in the FreeBSD Security Advisory.