From owner-freebsd-security@FreeBSD.ORG  Fri Mar 21 15:25:29 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id DD860FA1
 for <freebsd-security@freebsd.org>; Fri, 21 Mar 2014 15:25:29 +0000 (UTC)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5CE54955
 for <freebsd-security@freebsd.org>; Fri, 21 Mar 2014 15:25:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s2LFPKlZ052479;
 Sat, 22 Mar 2014 02:25:20 +1100 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Sat, 22 Mar 2014 02:25:19 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>
Subject: Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?)
In-Reply-To: <45158.1395348066@server1.tristatelogic.com>
Message-ID: <20140322000445.C31989@sola.nimnet.asn.au>
References: <45158.1395348066@server1.tristatelogic.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 15:25:29 -0000

On Thu, 20 Mar 2014 13:41:06 -0700, Ronald F. Guilmette wrote:
[..]
 > I dearly hope that someone on this list who does in fact have commit privs
 > will jump on this Right Away.  I'm not persuaded that running a perfectly
 > configured ipfw... statefully, no less... should be an absolute prerequsite
 > for running any Internet-connected FreeBSD-based device that simply wishes
 > to always know the correct time.

Just on your last point: if your internet-connected device is providing
any services whatsoever on its outside interface (netstat -finet -an) 
then unless you're literally offering those services unrestricted to the 
planet at large, you need a firewall - or to be relying on one upstream.

As assorted experts have suggested, you need a stateful rule.  It's 
really not that hard; if you _only_ needed to protect ntp on udp:

 kldload ipfw && add 65000 allow ip from any to any	# load null fw
 ipfw add allow udp from me to any ntp out xmit $outsideif keep-state
 ipfw add deny udp from any to me ntp in recv $outsideif

Done.  Perfectly configured for this one purpose, statefully no less ..

Protect sshd likewise, if enabled.  Or use pf, as you prefer.  Going a 
bit further and dropping everything you didn't ask for makes more sense, 
and stats (eg ipfw -t show) may surprise re how much you're deflecting.

cheers, Ian