Date: Sun, 16 Mar 2014 16:18:53 +0100 From: =?utf-8?Q?=C5=81ukasz_Bromirski?= <lukasz@bromirski.net> To: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 478, Issue 3 Message-ID: <DA901120-B24F-4830-BD66-007B7C975208@bromirski.net> In-Reply-To: <mailman.73.1394971202.75583.freebsd-security@freebsd.org> References: <mailman.73.1394971202.75583.freebsd-security@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16 Mar 2014, at 13:00, freebsd-security-request@freebsd.org wrote: > Message: 3 > From: Julian Elischer <julian@freebsd.org> > Subject: Re: NTP security hole CVE-2013-5211? > Message-ID: <5323C244.8050101@freebsd.org> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > the best solution is to add a firewall stateful rule so that the ONLY > port 123 udp packet that gets in is one that is a response to one you > sent out first. No. This is adding compexity to things which shouldn’t be complex. Of course multiple of layers defend better than single one, but not all FreeBSD boxes run with firewall turned on, and we shouldn’t require people to have it on for ‘secure’ ntp operation. /etc/ntp.conf should by default have secure posture and shouldn’t require any additional firewalling to remain so. -- "There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromirski@jabber.org about." John von Neumann | http://lukasz.bromirski.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DA901120-B24F-4830-BD66-007B7C975208>