From owner-freebsd-security@FreeBSD.ORG Thu Mar 20 20:26:56 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3F5AE77D for ; Thu, 20 Mar 2014 20:26:56 +0000 (UTC) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 1F13BDAF for ; Thu, 20 Mar 2014 20:26:55 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id A4AB63ADFA for ; Thu, 20 Mar 2014 13:24:30 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? In-Reply-To: <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com> Date: Thu, 20 Mar 2014 13:24:30 -0700 Message-ID: <45066.1395347070@server1.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2014 20:26:56 -0000 In message <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com>, Charles Swiger wrote: >> Of course, if this *is* messed up, then I guess that I'll have to remove >> my firewall rule, and diddle my /etc/ntp.conf file at the same time, in >> order to make sure that the Evil Ones don't come back and use & abuse me >> again. > >OK, although you're making this more complicated than it needs to be. > >If you don't want to provide NTP service to the outside world, leave your exis >ting >deny rule in place but add permit rules to allow UDP traffic to and from the >NTP servers which you want to sync time from. OK, but I wonder what the best way to do that is. Here are some lines from my /etc/ntp.conf file that would seem to be relevant: server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst server 2.freebsd.pool.ntp.org iburst Is it possible that the three host names given in these lines may possibly become associated with various *different* IPv4 addresses, over time? I would guess so, else why use host names, rather than fixed IPv4 dotted quad addresses? I may be wrong, but as far as I know, ipfw rules need to be written with fixed IPv4 addresses (or fixed CIDRs). So what happens if I hard-code the IPv4 addresses associated with the above three host names into my ipfw rule set, and then, sometime later on, the relevant NTP servers get relocated to new addresses within the IPv4 address space?