On 3/20/14, 9:20 PM, Brett Glass wrote:
At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote:
Starting from these lines in my /etc/ntp.conf file:
server 0.freebsd.pool.ntp.org iburst
server 1.freebsd.pool.ntp.org iburst
server 2.freebsd.pool.ntp.org iburst
I resolved each of those three host names to _all_ of its associated
IPv4 addresses. This yielded me the following list:
50.116.38.157
69.50.219.51
69.55.54.17
69.167.160.102
108.61.73.244
129.250.35.251
149.20.68.17
169.229.70.183
192.241.167.38
199.7.177.206
209.114.111.1
209.118.204.201
You can't use this list because the members of the pool change over time.
you need the following rules placed in the correct places in your ruleset.
check-state
and
allow udp from me to any 123 out via ${oif} keep-state.
unless a udp packet first exits via the second rule, the first will
not match
and will continue on to further rules (which should throw it away one
hopes).
Once an outgoing udp packet to 123 has been seen on the second rule,
any response will be allowed for the next N seconds. (it's some small
integer from memory)
any copy o fhtat packet that comes after the timeout will be dropped
again.
[Snip]
All of this is good. However, remember that anyone who can spoof IPs
will know
that the above addresses are the defaults for any FreeBSD machine
and can
take advantage of these "holes" in your firewall.
--Brett Glass
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to
"[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
