On Thu, 20 Mar 2014 13:41:06 -0700, Ronald F. Guilmette wrote: [..] > I dearly hope that someone on this list who does in fact have commit privs > will jump on this Right Away. I'm not persuaded that running a perfectly > configured ipfw... statefully, no less... should be an absolute prerequsite > for running any Internet-connected FreeBSD-based device that simply wishes > to always know the correct time. Just on your last point: if your internet-connected device is providing any services whatsoever on its outside interface (netstat -finet -an) then unless you're literally offering those services unrestricted to the planet at large, you need a firewall - or to be relying on one upstream. As assorted experts have suggested, you need a stateful rule. It's really not that hard; if you _only_ needed to protect ntp on udp: kldload ipfw && add 65000 allow ip from any to any # load null fw ipfw add allow udp from me to any ntp out xmit $outsideif keep-state ipfw add deny udp from any to me ntp in recv $outsideif Done. Perfectly configured for this one purpose, statefully no less .. Protect sshd likewise, if enabled. Or use pf, as you prefer. Going a bit further and dropping everything you didn't ask for makes more sense, and stats (eg ipfw -t show) may surprise re how much you're deflecting. cheers, Ian _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"