From owner-freebsd-security@FreeBSD.ORG Fri Mar 21 23:19:00 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F1A0CD3A for ; Fri, 21 Mar 2014 23:19:00 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C5BA9F18 for ; Fri, 21 Mar 2014 23:19:00 +0000 (UTC) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.14.8/8.14.8) with ESMTP id s2LNIn0F097778 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 21 Mar 2014 16:18:50 -0700 (PDT) (envelope-from julian@elischer.org) Message-ID: <532CC8CF.4030508@elischer.org> Date: Fri, 21 Mar 2014 16:18:39 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brett Glass , "Ronald F. Guilmette" Subject: Re: NTP security hole CVE-2013-5211? References: <201403210421.WAA05406@mail.lariat.net> In-Reply-To: <201403210421.WAA05406@mail.lariat.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 22 Mar 2014 00:43:26 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 23:19:01 -0000 On 3/20/14, 9:20 PM, Brett Glass wrote: > At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote: > >> Starting from these lines in my /etc/ntp.conf file: >> >> server 0.freebsd.pool.ntp.org iburst >> server 1.freebsd.pool.ntp.org iburst >> server 2.freebsd.pool.ntp.org iburst >> >> I resolved each of those three host names to _all_ of its associated >> IPv4 addresses. This yielded me the following list: >> >> 50.116.38.157 >> 69.50.219.51 >> 69.55.54.17 >> 69.167.160.102 >> 108.61.73.244 >> 129.250.35.251 >> 149.20.68.17 >> 169.229.70.183 >> 192.241.167.38 >> 199.7.177.206 >> 209.114.111.1 >> 209.118.204.201 You can't use this list because the members of the pool change over time. you need the following rules placed in the correct places in your ruleset. check-state and allow udp from me to any 123 out via ${oif} keep-state. unless a udp packet first exits via the second rule, the first will not match and will continue on to further rules (which should throw it away one hopes). Once an outgoing udp packet to 123 has been seen on the second rule, any response will be allowed for the next N seconds. (it's some small integer from memory) any copy o fhtat packet that comes after the timeout will be dropped again. > > [Snip] > > All of this is good. However, remember that anyone who can spoof IPs > will know > that the above addresses are the defaults for any FreeBSD machine > and can > take advantage of these "holes" in your firewall. > > --Brett Glass > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"