From owner-freebsd-security  Fri Apr 13 14:29: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235])
	by hub.freebsd.org (Postfix) with ESMTP id AC0D337B443
	for <freebsd-security@freebsd.org>; Fri, 13 Apr 2001 14:28:56 -0700 (PDT)
	(envelope-from sreid@sea-to-sky.net)
Received: by grok.example.net (Postfix, from userid 1000)
	id 25E2421334A; Fri, 13 Apr 2001 14:28:56 -0700 (PDT)
Date: Fri, 13 Apr 2001 14:28:56 -0700
From: Steve Reid <sreid@sea-to-sky.net>
To: Drew Derbyshire <software@kew.com>
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd
Message-ID: <20010413142855.B88148@grok.bc.hsia.telus.net>
References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> <004601c0c412$4ea81e70$94cba8c0@hh.kew.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
In-Reply-To: <004601c0c412$4ea81e70$94cba8c0@hh.kew.com>; from Drew Derbyshire on Fri, Apr 13, 2001 at 08:07:27AM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Apr 13, 2001 at 08:07:27AM -0400, Drew Derbyshire wrote:
> If you are using restrict, why not a simple ignore on the restrict?

Because I wasn't sure it would work properly. From the ntp.conf man
page:

         ignore  Ignore all packets from hosts which match this entry.  If
             this flag is specified neither queries nor time server
             polls will be responded to.

This is why I don't grok ntp configuration. It says "Ignore all
packets". To me that means ignore all packets - including responses to
the queries that we send out. But it then explicitly lists "neither
queries nor time server polls", which doesn't sound like "all packets",
and so I am confused.

I used "noquery nomodify notrap nopeer" because it looked like they
would block off all unnecessary functionality while still allowing
responses to the queries we send out.

> Was this a recent addition to the configuration?  (It is in the
> version shipped with FreeBSD 4.1)

As far as I can remember, 4.1 does not include any ntp.conf file at
all. This kind of makes sense, as NTP users are supposed to pick time
servers near to them.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message