Date: Fri, 13 Apr 2001 08:07:27 -0400 From: "Drew Derbyshire" <software@kew.com> To: "Steve Reid" <sreid@sea-to-sky.net> Cc: <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Message-ID: <004601c0c412$4ea81e70$94cba8c0@hh.kew.com> References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "Steve Reid" <sreid@sea-to-sky.net> > None of the advisories I've seen released (FreeBSD or otherwise) have > listed "restrict" directives in ntp.conf as a workaround. Is this > because it is not sufficient, or are the people writing the advisories > not aware of it, or other? > Restricting by address is subject to spoofing of course, IMHO ... I believe the comment in the advisory that specifically points out spoofing is a problem is why restrict is not listed as workaround. The official workarounds have to be bulletproof. > but is there > any reason "restrict default noquery nomodify notrap nopeer" would not > be sufficient to protect a typical NTP client while still allowing it > to receive time service? If you are using restrict, why not a simple ignore on the restrict? Was this a recent addition to the configuration? (It is in the version shipped with FreeBSD 4.1) -ahd- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004601c0c412$4ea81e70$94cba8c0>