[ntp:questions] Mitigating the ::1 spoof vulnerability
David Woolley
david at ex.djwhome.demon.invalid
Fri Feb 6 13:44:23 UTC 2015
On 06/02/15 12:17, Marco Marongiu wrote:
> I'm referring to this one in particular: "::1 can be spoofed on some
> OSes, so ACLs based on IPv6 ::1 addresses can be bypassed".
>
> Debian Squeeze doesn't have a patched package available in the
> squeeze-lts series yet. On those clients would a restriction like
>
> restrict ::1 ignore
>
> mitigate the vulnerability?
>
Sounds more like you need to fix the firewall. Firewalls should not
allow incoming source address 127.0.0.1 and internet level firewalls
should not allow private use only source addresses.
More information about the questions
mailing list