URGENT? (was: Re: NTP security hole CVE-2013-5211?)
Ian Smith
smithi at nimnet.asn.au
Fri Mar 21 15:25:29 UTC 2014
On Thu, 20 Mar 2014 13:41:06 -0700, Ronald F. Guilmette wrote:
[..]
> I dearly hope that someone on this list who does in fact have commit privs
> will jump on this Right Away. I'm not persuaded that running a perfectly
> configured ipfw... statefully, no less... should be an absolute prerequsite
> for running any Internet-connected FreeBSD-based device that simply wishes
> to always know the correct time.
Just on your last point: if your internet-connected device is providing
any services whatsoever on its outside interface (netstat -finet -an)
then unless you're literally offering those services unrestricted to the
planet at large, you need a firewall - or to be relying on one upstream.
As assorted experts have suggested, you need a stateful rule. It's
really not that hard; if you _only_ needed to protect ntp on udp:
kldload ipfw && add 65000 allow ip from any to any # load null fw
ipfw add allow udp from me to any ntp out xmit $outsideif keep-state
ipfw add deny udp from any to me ntp in recv $outsideif
Done. Perfectly configured for this one purpose, statefully no less ..
Protect sshd likewise, if enabled. Or use pf, as you prefer. Going a
bit further and dropping everything you didn't ask for makes more sense,
and stats (eg ipfw -t show) may surprise re how much you're deflecting.
cheers, Ian
More information about the freebsd-security
mailing list