In message <[email protected]>, Julian Elischer writes:
>the best solution is to add a firewall stateful rule so that the ONLY
>port 123 udp packet that gets in is one that is a response to one you
>sent out first.
And to deny any packet which is too short:
deny udp from any to any dst-port 123 iplen 0-75
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
[email protected] | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
