From owner-freebsd-security Fri Apr 13 0: 7: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235]) by hub.freebsd.org (Postfix) with ESMTP id B236737B42C for ; Fri, 13 Apr 2001 00:07:00 -0700 (PDT) (envelope-from sreid@sea-to-sky.net) Received: by grok.example.net (Postfix, from userid 1000) id 1A2AC21334A; Fri, 13 Apr 2001 00:07:00 -0700 (PDT) Date: Fri, 13 Apr 2001 00:06:59 -0700 From: Steve Reid To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Message-ID: <20010413000659.A88148@grok.bc.hsia.telus.net> References: <200104122058.f3CKwLe45352@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <200104122058.f3CKwLe45352@freefall.freebsd.org>; from FreeBSD Security Advisories on Thu, Apr 12, 2001 at 01:58:21PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 12, 2001 at 01:58:21PM -0700, FreeBSD Security Advisories wrote: > IV. Workaround > Disable the ntpd daemon using the following command: None of the advisories I've seen released (FreeBSD or otherwise) have listed "restrict" directives in ntp.conf as a workaround. Is this because it is not sufficient, or are the people writing the advisories not aware of it, or other? Restricting by address is subject to spoofing of course, but is there any reason "restrict default noquery nomodify notrap nopeer" would not be sufficient to protect a typical NTP client while still allowing it to receive time service? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message