2013/10/11 Paul de Weerd <[email protected]>:
> On Thu, Oct 10, 2013 at 05:30:39PM +0600, ???? ??????? wrote:
> | I use ntp already.
> | I am about to switch icmp timestamps off (security people are afraid
> | of that setting), just curious what was the purpose of it.
>
> Uhm .. why? Is your pf broken somehow?
it is not broken.
>
> block in on $interface inet proto icmp icmp-type { timereq, timerep }
does PF perform better than net.inet.icmp.tstamprepl=0 ?
>
> I can understand you don't want to send anything in reply to spoofed
> packets, but you're really better off filtering those with a firewall
> instead of a knob per type of packet.
>
>
> If you think this is going to improve the security of your host,
> you're wrong (as pointed out by others).
it is not about "improving security", you got it wrong.
I was just curious why that timestamping is enabled by default.
>
> If others tell you this improves the security of your host, tell them
> they're wrong.
I wish they could understand what other people are talking about.
>
> If they are not open to sane arguments: run.
>
>
> Then, they can disable the sysctl themselves and wallow in their
> awesome security while their site is XSS'd by 10-year-olds.
yeah, we found an XSS on their site couple of months ago :-)
>
> Paul 'WEiRD' de Weerd
>
> --
>>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
> +++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
> http://www.weirdnet.nl/
