From owner-freebsd-security Fri Apr 13 5: 7:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234]) by hub.freebsd.org (Postfix) with ESMTP id 5C8E137B423 for ; Fri, 13 Apr 2001 05:07:28 -0700 (PDT) (envelope-from software@kew.com) Received: from xena (xena.hh.kew.com [192.168.203.148]) by kendra.ne.mediaone.net (Postfix) with SMTP id 647C68C1D; Fri, 13 Apr 2001 08:07:27 -0400 (EDT) Message-ID: <004601c0c412$4ea81e70$94cba8c0@hh.kew.com> From: "Drew Derbyshire" To: "Steve Reid" Cc: References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Date: Fri, 13 Apr 2001 08:07:27 -0400 Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "Steve Reid" > None of the advisories I've seen released (FreeBSD or otherwise) have > listed "restrict" directives in ntp.conf as a workaround. Is this > because it is not sufficient, or are the people writing the advisories > not aware of it, or other? > Restricting by address is subject to spoofing of course, IMHO ... I believe the comment in the advisory that specifically points out spoofing is a problem is why restrict is not listed as workaround. The official workarounds have to be bulletproof. > but is there > any reason "restrict default noquery nomodify notrap nopeer" would not > be sufficient to protect a typical NTP client while still allowing it > to receive time service? If you are using restrict, why not a simple ignore on the restrict? Was this a recent addition to the configuration? (It is in the version shipped with FreeBSD 4.1) -ahd- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message