SLUG Mailing List Archives
Re: [SLUG] Firewall security audit report
- To: Howard Lowndes <lannet@xxxxxxxxxxxxx>
- Subject: Re: [SLUG] Firewall security audit report
- From: Crossfire <xfire@xxxxxxxx>
- Date: Wed Feb 28 22:06:01 2001
- Cc: chesty <chesty@xxxxxxxxxx>, SLUG Mailing list <slug@xxxxxxxxxxx>
- User-agent: Mutt/1.2.5i
Howard Lowndes was once rumoured to have said:
> On Wed, 28 Feb 2001, Crossfire wrote:
>> Howard Lowndes was once rumoured to have said:
>>> Can you do stateful inspections on ntp though? It runs on udp. Is this
>>> possible? You can define what servers you will accept ntp from, but
>>> surely the source IP could be easily spoofed anyway. I don't know how you
>>> would go trying to do an auth transfer from, say, CSIRO.
>> Yes. NTP is very simple protocol.
>> You open the return path once you send the NTP "request" packet, and
>> close it within a reasonable timeframe. If you're getting a large
>> number of reply packets any other time, you just block, and don't
> I can see how this would be done if you were using something like cron,
> ipchains and ntpdate to query the server - something like "cron, include
> ipchain ACCEPT rule, ntpdate, sleep for a few seconds, delete ipchain
> rule", but what if you want to do the auto synch thing with your server as
> a strata server. In this case the synch timing is handled by the ntpd
> daemon itself, or perhaps the ntpd daemon shouldn't be used like this.
Hence why you use stateful inspection firewalls, not ipchains.
ipchains is completely unflexible in this regard.
Crossfire | This email was brought to you
xfire@xxxxxxxx | on 100% Recycled Electrons