From owner-freebsd-security Fri Apr 13 14:45:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 03ECE37B449 for ; Fri, 13 Apr 2001 14:45:19 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBR32T00.007; Fri, 13 Apr 2001 14:44:53 -0700 Message-ID: <3AD77368.D324D9F6@globalstar.com> Date: Fri, 13 Apr 2001 14:45:12 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Steve Reid Cc: Drew Derbyshire , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> <004601c0c412$4ea81e70$94cba8c0@hh.kew.com> <20010413142855.B88148@grok.bc.hsia.telus.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Steve Reid wrote: > > On Fri, Apr 13, 2001 at 08:07:27AM -0400, Drew Derbyshire wrote: > > If you are using restrict, why not a simple ignore on the restrict? > > Because I wasn't sure it would work properly. From the ntp.conf man > page: > > ignore Ignore all packets from hosts which match this entry. If > this flag is specified neither queries nor time server > polls will be responded to. > > This is why I don't grok ntp configuration. It says "Ignore all > packets". To me that means ignore all packets - including responses to > the queries that we send out. But it then explicitly lists "neither > queries nor time server polls", which doesn't sound like "all packets", > and so I am confused. No, it really means all packets. I think you might be confused about the algorithm to determine restrictions. The way to go is, restrict default ignore restrict noquery nomodify ... restrict ... restrict nomodify nopeer That is, set the default to restrict and then explicitly allow access from other machines or networks. In this case, 'servers' can be queried by us, but they cannot modify or query us. Peers have full access. And a network of clients can query, but we will not peer to them or let them modify our state. I had trouble groking this at first as well. However, it was because the docs talk about how the 'default' entry is always evaluated first. It took a minute to set in that the _entire list_ is always searched from least specific to most specific (w.r.t. netmask) and the last match wins. I'm so used to match-and-out lists, I scratched my head for a while trying to figure how anything got past the default entry if it was first. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message