NTP security hole CVE-2013-5211?
Poul-Henning Kamp
phk at phk.freebsd.dk
Sun Mar 16 07:21:39 UTC 2014
In message <5323C244.8050101 at freebsd.org>, Julian Elischer writes:
>the best solution is to add a firewall stateful rule so that the ONLY
>port 123 udp packet that gets in is one that is a response to one you
>sent out first.
And to deny any packet which is too short:
deny udp from any to any dst-port 123 iplen 0-75
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the freebsd-security
mailing list