From owner-freebsd-security@FreeBSD.ORG Fri Mar 21 15:25:29 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DD860FA1 for ; Fri, 21 Mar 2014 15:25:29 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5CE54955 for ; Fri, 21 Mar 2014 15:25:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s2LFPKlZ052479; Sat, 22 Mar 2014 02:25:20 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 22 Mar 2014 02:25:19 +1100 (EST) From: Ian Smith To: "Ronald F. Guilmette" Subject: Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?) In-Reply-To: <45158.1395348066@server1.tristatelogic.com> Message-ID: <20140322000445.C31989@sola.nimnet.asn.au> References: <45158.1395348066@server1.tristatelogic.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 15:25:29 -0000 On Thu, 20 Mar 2014 13:41:06 -0700, Ronald F. Guilmette wrote: [..] > I dearly hope that someone on this list who does in fact have commit privs > will jump on this Right Away. I'm not persuaded that running a perfectly > configured ipfw... statefully, no less... should be an absolute prerequsite > for running any Internet-connected FreeBSD-based device that simply wishes > to always know the correct time. Just on your last point: if your internet-connected device is providing any services whatsoever on its outside interface (netstat -finet -an) then unless you're literally offering those services unrestricted to the planet at large, you need a firewall - or to be relying on one upstream. As assorted experts have suggested, you need a stateful rule. It's really not that hard; if you _only_ needed to protect ntp on udp: kldload ipfw && add 65000 allow ip from any to any # load null fw ipfw add allow udp from me to any ntp out xmit $outsideif keep-state ipfw add deny udp from any to me ntp in recv $outsideif Done. Perfectly configured for this one purpose, statefully no less .. Protect sshd likewise, if enabled. Or use pf, as you prefer. Going a bit further and dropping everything you didn't ask for makes more sense, and stats (eg ipfw -t show) may surprise re how much you're deflecting. cheers, Ian