On 16 Mar 2014, at 13:00, [email protected] wrote: > Message: 3 > From: Julian Elischer <[email protected]> > Subject: Re: NTP security hole CVE-2013-5211? > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > the best solution is to add a firewall stateful rule so that the ONLY > port 123 udp packet that gets in is one that is a response to one you > sent out first.
No. This is adding compexity to things which shouldn’t be complex. Of course multiple of layers defend better than single one, but not all FreeBSD boxes run with firewall turned on, and we shouldn’t require people to have it on for ‘secure’ ntp operation. /etc/ntp.conf should by default have secure posture and shouldn’t require any additional firewalling to remain so. -- "There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:[email protected] about." John von Neumann | http://lukasz.bromirski.net _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
