On Thu, Oct 10, 2013 at 05:30:39PM +0600, ???? ??????? wrote:
| I use ntp already.
| I am about to switch icmp timestamps off (security people are afraid
| of that setting), just curious what was the purpose of it.
Uhm .. why? Is your pf broken somehow?
block in on $interface inet proto icmp icmp-type { timereq, timerep }
I can understand you don't want to send anything in reply to spoofed
packets, but you're really better off filtering those with a firewall
instead of a knob per type of packet.
If you think this is going to improve the security of your host,
you're wrong (as pointed out by others).
If others tell you this improves the security of your host, tell them
they're wrong.
If they are not open to sane arguments: run.
Then, they can disable the sysctl themselves and wallow in their
awesome security while their site is XSS'd by 10-year-olds.
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
