Date: Fri, 21 Mar 2014 16:18:39 -0700 From: Julian Elischer <julian@elischer.org> To: Brett Glass <brett@lariat.org>, "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <532CC8CF.4030508@elischer.org> In-Reply-To: <201403210421.WAA05406@mail.lariat.net> References: <201403210421.WAA05406@mail.lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/20/14, 9:20 PM, Brett Glass wrote:
> At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote:
>
>> Starting from these lines in my /etc/ntp.conf file:
>>
>> server 0.freebsd.pool.ntp.org iburst
>> server 1.freebsd.pool.ntp.org iburst
>> server 2.freebsd.pool.ntp.org iburst
>>
>> I resolved each of those three host names to _all_ of its associated
>> IPv4 addresses. This yielded me the following list:
>>
>> 50.116.38.157
>> 69.50.219.51
>> 69.55.54.17
>> 69.167.160.102
>> 108.61.73.244
>> 129.250.35.251
>> 149.20.68.17
>> 169.229.70.183
>> 192.241.167.38
>> 199.7.177.206
>> 209.114.111.1
>> 209.118.204.201
You can't use this list because the members of the pool change over time.
you need the following rules placed in the correct places in your ruleset.
check-state
and
allow udp from me to any 123 out via ${oif} keep-state.
unless a udp packet first exits via the second rule, the first will
not match
and will continue on to further rules (which should throw it away one
hopes).
Once an outgoing udp packet to 123 has been seen on the second rule,
any response will be allowed for the next N seconds. (it's some small
integer from memory)
any copy o fhtat packet that comes after the timeout will be dropped
again.
>
> [Snip]
>
> All of this is good. However, remember that anyone who can spoof IPs
> will know
> that the above addresses are the defaults for any FreeBSD machine
> and can
> take advantage of these "holes" in your firewall.
>
> --Brett Glass
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?532CC8CF.4030508>