Date: Thu, 20 Mar 2014 13:24:30 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <45066.1395347070@server1.tristatelogic.com> In-Reply-To: <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com>, Charles Swiger <cswiger@mac.com> wrote: >> Of course, if this *is* messed up, then I guess that I'll have to remove >> my firewall rule, and diddle my /etc/ntp.conf file at the same time, in >> order to make sure that the Evil Ones don't come back and use & abuse me >> again. > >OK, although you're making this more complicated than it needs to be. > >If you don't want to provide NTP service to the outside world, leave your exis >ting >deny rule in place but add permit rules to allow UDP traffic to and from the >NTP servers which you want to sync time from. OK, but I wonder what the best way to do that is. Here are some lines from my /etc/ntp.conf file that would seem to be relevant: server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst server 2.freebsd.pool.ntp.org iburst Is it possible that the three host names given in these lines may possibly become associated with various *different* IPv4 addresses, over time? I would guess so, else why use host names, rather than fixed IPv4 dotted quad addresses? I may be wrong, but as far as I know, ipfw rules need to be written with fixed IPv4 addresses (or fixed CIDRs). So what happens if I hard-code the IPv4 addresses associated with the above three host names into my ipfw rule set, and then, sometime later on, the relevant NTP servers get relocated to new addresses within the IPv4 address space?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45066.1395347070>