Date: Sun, 16 Mar 2014 16:18:53 +0100 From: =?utf-8?Q?=C5=81ukasz_Bromirski?= <lukasz@bromirski.net> To: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 478, Issue 3 Message-ID: <DA901120-B24F-4830-BD66-007B7C975208@bromirski.net> In-Reply-To: <mailman.73.1394971202.75583.freebsd-security@freebsd.org> References: <mailman.73.1394971202.75583.freebsd-security@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16 Mar 2014, at 13:00, freebsd-security-request@freebsd.org wrote: > Message: 3 > From: Julian Elischer <julian@freebsd.org> > Subject: Re: NTP security hole CVE-2013-5211? > Message-ID: <5323C244.8050101@freebsd.org> > Content-Type: text/plain; charset=3D"iso-8859-1"; Format=3D"flowed" >=20 > the best solution is to add a firewall stateful rule so that the ONLY=20= > port 123 udp packet that gets in is one that is a response to one you=20= > sent out first. No. This is adding compexity to things which shouldn=E2=80=99t be complex. Of course multiple of layers defend better than single one, but not all FreeBSD boxes run with firewall turned on, and we shouldn=E2=80=99= t require people to have it on for =E2=80=98secure=E2=80=99 ntp operation. /etc/ntp.conf should by default have secure posture and shouldn=E2=80=99t require any additional firewalling to remain so. --=20 "There's no sense in being precise when | =C5=81ukasz = Bromirski you don't know what you're talking | jid:lbromirski@jabber.org about." John von Neumann | http://lukasz.bromirski.net=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DA901120-B24F-4830-BD66-007B7C975208>