From owner-freebsd-security@FreeBSD.ORG Sat Mar 22 00:18:02 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 764CEE53 for ; Sat, 22 Mar 2014 00:18:02 +0000 (UTC) Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 101706EB for ; Sat, 22 Mar 2014 00:18:02 +0000 (UTC) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id A125823841F; Sat, 22 Mar 2014 00:17:46 +0000 (UTC) (envelope-from marka@isc.org) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id AFF66160060; Sat, 22 Mar 2014 00:18:52 +0000 (UTC) Received: from rock.dv.isc.org (unknown [216.9.110.12]) by zmx1.isc.org (Postfix) with ESMTPSA id A2BD716005B; Sat, 22 Mar 2014 00:18:52 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id C296311AF38F; Sat, 22 Mar 2014 11:17:45 +1100 (EST) To: "Ronald F. Guilmette" From: Mark Andrews References: <51546.1395432085@server1.tristatelogic.com> Subject: Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?) In-reply-to: Your message of "Fri, 21 Mar 2014 13:01:25 -0700." <51546.1395432085@server1.tristatelogic.com> Date: Sat, 22 Mar 2014 11:17:45 +1100 Message-Id: <20140322001745.C296311AF38F@rock.dv.isc.org> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mx.ams1.isc.org Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 00:18:02 -0000 In message <51546.1395432085@server1.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message <20140322000445.C31989@sola.nimnet.asn.au>, > Ian Smith wrote: > > >As assorted experts have suggested, you need a stateful rule. It's > >really not that hard; if you _only_ needed to protect ntp on udp: > > > > kldload ipfw && add 65000 allow ip from any to any # load null fw > > ipfw add allow udp from me to any ntp out xmit $outsideif keep-state > > ipfw add deny udp from any to me ntp in recv $outsideif > > > >Done. Perfectly configured for this one purpose, statefully no less .. > > Sounds great to me! However I've never really used any of the stateful > ipfw stuff, so I'm venturing out into what, for me, are unfamiliar waters. > So I hope you'll be kind and entertain a question or two, to help me > understand exactly what I'm supposed to do. > > I've just skimmed over the page here: > > https://www.freebsd.org/doc/handbook/firewalls-ipfw.html > > and my questions are based on the tutorial information I've found there. > > First question: In addition to what you have written above, may I safely > assume that I also need an additional rule, somewhere early in my entire > (numbered) list of rules, that just simply says "check-state"? > > Second question: In the example text given just about half-way down on > the web page cited above, within part of a big block of example rules I > see this: > > # Allow outbound NTP > $cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state > > This is more than a little befuddling to me, for one simple reason... I had > no idea until now that NTP could even make use of TCP, rather than, or in > addition to UDP. But I did look in my /etc/services file and saw this: > > ntp 123/tcp #Network Time Protocol > ntp 123/udp #Network Time Protocol > > so obviously, yes, both UDP and TCP can be used for the NTP protocol, > rather like DNS, I gather. No. IANA (Jon) just assigned/reserved both UDP and TCP for all protocols at the time. HTTP is also listed as UDP and TCP but it is only TCP with UDP reserved. > But the example, noted above, as given > within the FreeBSD Handbook appears to make the assumption that NTP is > using TCP. That still leaves me a bit befuddled, because I had assumed... > until now... that tcpd would be doing all of its communicating strictly > via UDP. (I mean ntpd's use of UDP, rather than TCP, is _the_ essential > thing that has given rise to all of these NTP reflection attacks, no? > The IP address spoofing of the intended vctim becomes one helluva lot > harder if it has to be done within the context of TCP, rather than UDP, > yes?) > > So, um, when, if ever, does ntpd use TCP, rather than UDP, and how would > a sysadmin running ntpd tell it to use either UDP or TCP? NTP uses UDP. Period. > (My apologies if this is stuff that everybody else already knows. I sure > don't.) > > Last question: Assuming that my local ntpd is strictly and only using > UDP for all communication, would something like the following be a proper > set of additions to my current ipfw rules? > > add 00101 check-state > add 00500 pass udp from 123 to any 123 out via $pif keep-stat > e > > If not, what should I use instead? > > Thanks in advance for all help & understanding. > > > Regards, > rfg > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org