From owner-freebsd-security@FreeBSD.ORG Sat Mar 22 00:10:47 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 75A99ADA for ; Sat, 22 Mar 2014 00:10:47 +0000 (UTC) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 584655F9 for ; Sat, 22 Mar 2014 00:10:47 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 09C363AD93 for ; Fri, 21 Mar 2014 17:10:47 -0700 (PDT) From: "Ronald F. Guilmette" cc: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? In-Reply-To: <532CC8CF.4030508@elischer.org> Date: Fri, 21 Mar 2014 17:10:47 -0700 Message-ID: <53019.1395447047@server1.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 00:10:47 -0000 In message <532CC8CF.4030508@elischer.org>, Julian Elischer wrote: >>> 50.116.38.157 >>> 69.50.219.51 >>> 69.55.54.17 >>> 69.167.160.102 >>> 108.61.73.244 >>> 129.250.35.251 >>> 149.20.68.17 >>> 169.229.70.183 >>> 192.241.167.38 >>> 199.7.177.206 >>> 209.114.111.1 >>> 209.118.204.201 > >You can't use this list because the members of the pool change over time. Yes. I've understood that now. Thank you. >you need the following rules placed in the correct places in your ruleset. > >check-state > and >allow udp from me to any 123 out via ${oif} keep-state. I've implemented this now, and it seems to be working great. My sincere thanks to everyone who stepped forward to help. Regards, rfg