From owner-freebsd-security@FreeBSD.ORG Fri Mar 21 20:01:35 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D2AABACC for ; Fri, 21 Mar 2014 20:01:35 +0000 (UTC) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id AD334BCE for ; Fri, 21 Mar 2014 20:01:35 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 068A63ADFA for ; Fri, 21 Mar 2014 13:01:25 -0700 (PDT) From: "Ronald F. Guilmette" cc: freebsd-security@freebsd.org Subject: Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?) In-Reply-To: <20140322000445.C31989@sola.nimnet.asn.au> Date: Fri, 21 Mar 2014 13:01:25 -0700 Message-ID: <51546.1395432085@server1.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 20:01:35 -0000 In message <20140322000445.C31989@sola.nimnet.asn.au>, Ian Smith wrote: >As assorted experts have suggested, you need a stateful rule. It's >really not that hard; if you _only_ needed to protect ntp on udp: > > kldload ipfw && add 65000 allow ip from any to any # load null fw > ipfw add allow udp from me to any ntp out xmit $outsideif keep-state > ipfw add deny udp from any to me ntp in recv $outsideif > >Done. Perfectly configured for this one purpose, statefully no less .. Sounds great to me! However I've never really used any of the stateful ipfw stuff, so I'm venturing out into what, for me, are unfamiliar waters. So I hope you'll be kind and entertain a question or two, to help me understand exactly what I'm supposed to do. I've just skimmed over the page here: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html and my questions are based on the tutorial information I've found there. First question: In addition to what you have written above, may I safely assume that I also need an additional rule, somewhere early in my entire (numbered) list of rules, that just simply says "check-state"? Second question: In the example text given just about half-way down on the web page cited above, within part of a big block of example rules I see this: # Allow outbound NTP $cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state This is more than a little befuddling to me, for one simple reason... I had no idea until now that NTP could even make use of TCP, rather than, or in addition to UDP. But I did look in my /etc/services file and saw this: ntp 123/tcp #Network Time Protocol ntp 123/udp #Network Time Protocol so obviously, yes, both UDP and TCP can be used for the NTP protocol, rather like DNS, I gather. But the example, noted above, as given within the FreeBSD Handbook appears to make the assumption that NTP is using TCP. That still leaves me a bit befuddled, because I had assumed... until now... that tcpd would be doing all of its communicating strictly via UDP. (I mean ntpd's use of UDP, rather than TCP, is _the_ essential thing that has given rise to all of these NTP reflection attacks, no? The IP address spoofing of the intended vctim becomes one helluva lot harder if it has to be done within the context of TCP, rather than UDP, yes?) So, um, when, if ever, does ntpd use TCP, rather than UDP, and how would a sysadmin running ntpd tell it to use either UDP or TCP? (My apologies if this is stuff that everybody else already knows. I sure don't.) Last question: Assuming that my local ntpd is strictly and only using UDP for all communication, would something like the following be a proper set of additions to my current ipfw rules? add 00101 check-state add 00500 pass udp from 123 to any 123 out via $pif keep-state If not, what should I use instead? Thanks in advance for all help & understanding. Regards, rfg