[ntp:questions] Mitigating the ::1 spoof vulnerability

David Woolley david at ex.djwhome.demon.invalid
Fri Feb 6 13:44:23 UTC 2015


On 06/02/15 12:17, Marco Marongiu wrote:

> I'm referring to this one in particular: "::1 can be spoofed on some
> OSes, so ACLs based on IPv6 ::1 addresses can be bypassed".
>
> Debian Squeeze doesn't have a patched package available in the
> squeeze-lts series yet. On those clients would a restriction like
>
> restrict ::1 ignore
>
> mitigate the vulnerability?
>

Sounds more like you need to fix the firewall.  Firewalls should not 
allow incoming source address 127.0.0.1 and internet level firewalls 
should not allow private use only source addresses.



More information about the questions mailing list