Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 16 Mar 2014 07:21:28 +0000
From:      "Poul-Henning Kamp" <phk@phk.freebsd.dk>
To:        Julian Elischer <julian@freebsd.org>
Cc:        freebsd-security@freebsd.org, Fabian Wenk <fabian@wenks.ch>
Subject:   Re: NTP security hole CVE-2013-5211?
Message-ID:  <34939.1394954488@critter.freebsd.dk>
In-Reply-To: <5323C244.8050101@freebsd.org>
References:  <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch> <201403141700.LAA21140@mail.lariat.net> <5323C244.8050101@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
In message <5323C244.8050101@freebsd.org>, Julian Elischer writes:

>the best solution is to add a firewall stateful rule so that the ONLY 
>port 123 udp packet that gets in is one that is a response to one you 
>sent out first.

And to deny any packet which is too short:

	deny udp from any to any dst-port 123 iplen 0-75

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?34939.1394954488>