freebsd security - Mar 2014 - freebsd-security Digest, Vol 478, Issue 3

On 16 Mar 2014, at 13:00, freebsd-security-request at freebsd.org wrote:
> Message: 3
> From: Julian Elischer <julian at freebsd.org>
> Subject: Re: NTP security hole CVE-2013-5211?
> Message-ID: <5323C244.8050101 at freebsd.org>
> Content-Type: text/plain; charset="iso-8859-1";
Format="flowed"
> 
> the best solution is to add a firewall stateful rule so that the ONLY 
> port 123 udp packet that gets in is one that is a response to one you 
> sent out first.
No.

This is adding compexity to things which shouldn?t be complex.
Of course multiple of layers defend better than single one, but
not all FreeBSD boxes run with firewall turned on, and we shouldn?t
require people to have it on for ?secure? ntp operation.

/etc/ntp.conf should by default have secure posture and shouldn?t
require any additional firewalling to remain so.

-- 
"There's no sense in being precise when |               ?ukasz
Bromirski
 you don't know what you're talking     |      jid:lbromirski at
jabber.org
 about."               John von Neumann |    http://lukasz.bromirski.net

?ukasz Bromirski <lukasz at bromirski.net> writes:
> /etc/ntp.conf should by default have secure posture and shouldn?t
> require any additional firewalling to remain so.
It does, and does not:

% grep \^restrict stable/9/etc/ntp.conf    
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0

DES
-- 
Dag-Erling Sm?rgrav - des at des.no