Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?)

On Thu, 20 Mar 2014 13:41:06 -0700, Ronald F. Guilmette wrote:
[..]
 > I dearly hope that someone on this list who does in fact have commit privs
 > will jump on this Right Away.  I'm not persuaded that running a perfectly
 > configured ipfw... statefully, no less... should be an absolute prerequsite
 > for running any Internet-connected FreeBSD-based device that simply wishes
 > to always know the correct time.

Just on your last point: if your internet-connected device is providing
any services whatsoever on its outside interface (netstat -finet -an) 
then unless you're literally offering those services unrestricted to the 
planet at large, you need a firewall - or to be relying on one upstream.

As assorted experts have suggested, you need a stateful rule.  It's 
really not that hard; if you _only_ needed to protect ntp on udp:

 kldload ipfw && add 65000 allow ip from any to any	# load null fw
 ipfw add allow udp from me to any ntp out xmit $outsideif keep-state
 ipfw add deny udp from any to me ntp in recv $outsideif

Done.  Perfectly configured for this one purpose, statefully no less ..

Protect sshd likewise, if enabled.  Or use pf, as you prefer.  Going a 
bit further and dropping everything you didn't ask for makes more sense, 
and stats (eg ipfw -t show) may surprise re how much you're deflecting.

cheers, Ian
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"