Date: Sat, 22 Mar 2014 08:48:40 -0600 From: Brett Glass <brett@lariat.org> To: Ian Smith <smithi@nimnet.asn.au>, "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?) Message-ID: <201403221454.IAA22021@mail.lariat.net> In-Reply-To: <20140322182402.Q83569@sola.nimnet.asn.au> References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:34 AM 3/22/2014, Ian Smith wrote: >In that specific ruleset - for one specific purpose, remember - no. In >general yes; in a ruleset containing other rules, check-state should be >placed where you want packets tested against all active dynamic rules. This is correct. And that's awkward, because you might not want all of these checks in one place. Also, if there are many dynamic rules this will slow traffic down quite a bit. It's a general security principle that the daemons included with an OS should be secure on their own; they shouldn't, by default, require protection by a firewall. This is certainly true of ntpd, which is part of the base FreeBSD distribution. The FreeBSD Project should set a good example, and conform to industry best practices, by making the system secure by default. This means including a default daemon configuration that is resistant to relaying and amplification of attacks. Adding the "disable monitor" and "kod" options to ntp.conf is a start, but sourcing queries from random source ports is much more important. It would create negligible overhead (because NTP queries have much lower volume than DNS) and would allow the daemon to defend ITSELF from abuse rather than relying on a stateful firewall. As you've mentioned, Apple already does this in Darwin, a FreeBSD derivative. I haven't checked the latest releases of OpenBSD and NetBSD, but the older machines I have running these OSes appear to use randomized high ports for queries. --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403221454.IAA22021>