Date: Sat, 22 Mar 2014 02:25:19 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?) Message-ID: <20140322000445.C31989@sola.nimnet.asn.au> In-Reply-To: <45158.1395348066@server1.tristatelogic.com> References: <45158.1395348066@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Mar 2014 13:41:06 -0700, Ronald F. Guilmette wrote: [..] > I dearly hope that someone on this list who does in fact have commit privs > will jump on this Right Away. I'm not persuaded that running a perfectly > configured ipfw... statefully, no less... should be an absolute prerequsite > for running any Internet-connected FreeBSD-based device that simply wishes > to always know the correct time. Just on your last point: if your internet-connected device is providing any services whatsoever on its outside interface (netstat -finet -an) then unless you're literally offering those services unrestricted to the planet at large, you need a firewall - or to be relying on one upstream. As assorted experts have suggested, you need a stateful rule. It's really not that hard; if you _only_ needed to protect ntp on udp: kldload ipfw && add 65000 allow ip from any to any # load null fw ipfw add allow udp from me to any ntp out xmit $outsideif keep-state ipfw add deny udp from any to me ntp in recv $outsideif Done. Perfectly configured for this one purpose, statefully no less .. Protect sshd likewise, if enabled. Or use pf, as you prefer. Going a bit further and dropping everything you didn't ask for makes more sense, and stats (eg ipfw -t show) may surprise re how much you're deflecting. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140322000445.C31989>