At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote:>Starting from these lines in my /etc/ntp.conf file: > >server 0.freebsd.pool.ntp.org iburst >server 1.freebsd.pool.ntp.org iburst >server 2.freebsd.pool.ntp.org iburst > >I resolved each of those three host names to _all_ of its associated >IPv4 addresses. This yielded me the following list: > >50.116.38.157 >69.50.219.51 >69.55.54.17 >69.167.160.102 >108.61.73.244 >129.250.35.251 >149.20.68.17 >169.229.70.183 >192.241.167.38 >199.7.177.206 >209.114.111.1 >209.118.204.201[Snip] All of this is good. However, remember that anyone who can spoof IPs will know that the above addresses are the defaults for any FreeBSD machine and can take advantage of these "holes" in your firewall. --Brett Glass
On Mar 20, 2014 9:21 PM, "Brett Glass" <brett at lariat.org> wrote:> > At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote: > >> Starting from these lines in my /etc/ntp.conf file: >> >> server 0.freebsd.pool.ntp.org iburst >> server 1.freebsd.pool.ntp.org iburst >> server 2.freebsd.pool.ntp.org iburst >> >> I resolved each of those three host names to _all_ of its associated >> IPv4 addresses. This yielded me the following list: >> >> 50.116.38.157 >> 69.50.219.51 >> 69.55.54.17 >> 69.167.160.102 >> 108.61.73.244 >> 129.250.35.251 >> 149.20.68.17 >> 169.229.70.183 >> 192.241.167.38 >> 199.7.177.206 >> 209.114.111.1 >> 209.118.204.201 > > > [Snip] > > All of this is good. However, remember that anyone who can spoof IPs willknow> that the above addresses are the defaults for any FreeBSD machine and can > take advantage of these "holes" in your firewall.While true, that does mean that amplification attacks are limited to being able to attack those ten machines. A not insignificant reduction in hosts vulnerable to attack.> > --Brett Glass > > _______________________________________________ > freebsd-security at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
On Thu, 20 Mar 2014 22:20:52 -0600 Brett Glass wrote:> At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote: > > >Starting from these lines in my /etc/ntp.conf file: > > > >server 0.freebsd.pool.ntp.org iburst > >server 1.freebsd.pool.ntp.org iburst > >server 2.freebsd.pool.ntp.org iburst > > > >I resolved each of those three host names to _all_ of its associated > >IPv4 addresses. This yielded me the following list: > > > >50.116.38.157 > >69.50.219.51 > >69.55.54.17 > >69.167.160.102 > >108.61.73.244 > >129.250.35.251 > >149.20.68.17 > >169.229.70.183 > >192.241.167.38 > >199.7.177.206 > >209.114.111.1 > >209.118.204.201 > > [Snip] > > All of this is good.When you use a vendor pool or pool.ntp.org, you get a random selection of servers in your local region. According to www.pool.ntp.org that's 869 for North America, and 2495 for Europe.
On 3/20/14, 9:20 PM, Brett Glass wrote:> At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote: > >> Starting from these lines in my /etc/ntp.conf file: >> >> server 0.freebsd.pool.ntp.org iburst >> server 1.freebsd.pool.ntp.org iburst >> server 2.freebsd.pool.ntp.org iburst >> >> I resolved each of those three host names to _all_ of its associated >> IPv4 addresses. This yielded me the following list: >> >> 50.116.38.157 >> 69.50.219.51 >> 69.55.54.17 >> 69.167.160.102 >> 108.61.73.244 >> 129.250.35.251 >> 149.20.68.17 >> 169.229.70.183 >> 192.241.167.38 >> 199.7.177.206 >> 209.114.111.1 >> 209.118.204.201You can't use this list because the members of the pool change over time. you need the following rules placed in the correct places in your ruleset. check-state and allow udp from me to any 123 out via ${oif} keep-state. unless a udp packet first exits via the second rule, the first will not match and will continue on to further rules (which should throw it away one hopes). Once an outgoing udp packet to 123 has been seen on the second rule, any response will be allowed for the next N seconds. (it's some small integer from memory) any copy o fhtat packet that comes after the timeout will be dropped again.> > [Snip] > > All of this is good. However, remember that anyone who can spoof IPs > will know > that the above addresses are the defaults for any FreeBSD machine > and can > take advantage of these "holes" in your firewall. > > --Brett Glass > _______________________________________________ > freebsd-security at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe at freebsd.org"
In message <532CC8CF.4030508 at elischer.org>, Julian Elischer <julian at elischer.org> wrote:>>> 50.116.38.157 >>> 69.50.219.51 >>> 69.55.54.17 >>> 69.167.160.102 >>> 108.61.73.244 >>> 129.250.35.251 >>> 149.20.68.17 >>> 169.229.70.183 >>> 192.241.167.38 >>> 199.7.177.206 >>> 209.114.111.1 >>> 209.118.204.201 > >You can't use this list because the members of the pool change over time.Yes. I've understood that now. Thank you.>you need the following rules placed in the correct places in your ruleset. > >check-state > and >allow udp from me to any 123 out via ${oif} keep-state.I've implemented this now, and it seems to be working great. My sincere thanks to everyone who stepped forward to help. Regards, rfg