From owner-freebsd-security@FreeBSD.ORG Tue Mar 18 18:24:50 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2BB76A93; Tue, 18 Mar 2014 18:24:50 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F3520A30; Tue, 18 Mar 2014 18:24:49 +0000 (UTC) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.14.8/8.14.8) with ESMTP id s2IIOmwP086094 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 18 Mar 2014 11:24:49 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <53288F6C.4030604@freebsd.org> Date: Tue, 18 Mar 2014 11:24:44 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Matthew Seaman , freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? References: <29310.1395114987@server1.tristatelogic.com> <5327F89C.60606@FreeBSD.org> In-Reply-To: <5327F89C.60606@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2014 18:24:50 -0000 On 3/18/14, 12:41 AM, Matthew Seaman wrote: > On 18/03/2014 03:56, Ronald F. Guilmette wrote: >> (It was explained to me at the time that NTP operates a bit like DNS... >> with which I am more familiar... i.e. that all outbound requests originate >> on high numbered ports, well and truly away from all low numbered ports, >> including, in particular, 123. I am just re-verifying that my understanding >> in this regard is correct, and that my current blanket firewall rule is >> fine as it stands.) > It's not uncommon for NTP to have both source and destination ports set > to 123. This was the standard some years back, but such things as NAT > always meant that couldn't be relied on. I don't know if this is still > seen as a normal practice, but all the NTP related entries sockstat > shows me are bound to port 123 on the local side. > > Unlike DNS, I don't think there are any particular security penalties to > not using a wide range of UDP source ports for NTP. yes, you are correct.. in fact what I have is a rule that only allows ANY udp packets if they are responses to something I sent. I have an exception rule for DNS which I do serve. I have an option in my firewall that further narrows that down to only allow ME to send udp (other than dns) packets to my own ntp sources. so even if my ntpd were somehow comromised it couldnt reach anyone else. > > Cheers, > > Matthew >