From owner-freebsd-security@FreeBSD.ORG Sat Mar 22 15:12:02 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B908E4E6 for ; Sat, 22 Mar 2014 15:12:02 +0000 (UTC) Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 513927F3 for ; Sat, 22 Mar 2014 15:12:02 +0000 (UTC) Received: by mail-we0-f175.google.com with SMTP id q58so2311352wes.20 for ; Sat, 22 Mar 2014 08:12:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=L4d6NAlMX/o4eegDTUiaKixXUkxnbzp8RL0bRq8UBE0=; b=htFZhkUXis2ODvv+6BuJ8B4OY9VPbIqDSyocNgO10Zj1xiStizLryzqiJ6o3yLBFEk wuTc2DLRaoAveajFNPejzxjy/Uw9I5l3x4bfFmiMVFsXJCA32g2Aj/SJsZAPR2iWfsC4 g0D67X8fR3vKiClP7jgM0u3Kms0VAHG0fP4cLPwxeU8QcuZnNz49d9c/mfPqsIUhQW1n a1Mw8/IBggasGoliOALpRfcYTCFoCxADaPZvsD3EL/5SrFuScRxAq8E1Mt2TPM0fhJmc 5gYkNX0o5yPDiqTvp1WyQyOSRjcINH3OsfUJ3RkZSye3N7YizezX1d79AeASc4T2Fd6F EHyg== X-Received: by 10.180.185.232 with SMTP id ff8mr3960386wic.25.1395501120232; Sat, 22 Mar 2014 08:12:00 -0700 (PDT) Received: from gumby.homeunix.com ([94.195.197.72]) by mx.google.com with ESMTPSA id hp5sm18024393wjb.0.2014.03.22.08.11.58 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Sat, 22 Mar 2014 08:11:59 -0700 (PDT) Date: Sat, 22 Mar 2014 15:11:55 +0000 From: RW To: freebsd-security@freebsd.org Subject: Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?) Message-ID: <20140322151155.184d5229@gumby.homeunix.com> In-Reply-To: <201403221454.IAA22021@mail.lariat.net> References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> <201403221454.IAA22021@mail.lariat.net> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 15:12:02 -0000 On Sat, 22 Mar 2014 08:48:40 -0600 Brett Glass wrote: > This is correct. And that's awkward, because you might not want all of > these checks in one place. Also, if there are many dynamic rules this > will slow traffic down quite a bit. It should be the other way around. Once a flow has been learned it's just a simple hash-table lookup once you hit the first stateful rule. In pf most packets bypass the rules altogether.