Solved ntpd_initres blocked by PF

nactusberrilli

nactusberrilli

I have this pf.conf file for testing:

Code: 
#Test configuration
#Macros
tcp_services="{ ssh, smtp, domain, www, pop3, auth, https, pop3s, ntp, bootpc }"
udp_services="{ ntp, bootpc }"
#------------------------------------
# Block all connection to start with
block all
# Open outbound tcp and udp macros
pass in proto tcp to port $tcp_services
pass in proto udp to port $udp_services
# Open inbound tcp and udp macros
pass out proto tcp to port $tcp_services
pass out proto udp to port $udp_services

I'm getting the ntpd_initres[<pid>]: host name not found: x.freebsd.pool.ntp.org error.

edited: I commented out the block all line and everything works fine. So it seems that either ntpd_initres doesn't use the standard udp / tcp ntp 123 port, or it starts before the pf.conf file is loaded. In the man 8 ntpd() file, the description section states that this daemon uses the NTP protocol (and therefore I'm assuming port 123). What am I missing ? Thanks.
 
The "host name not found" is the big tell here. Your current rules are very restrictive and you aren't allowing any outbound DNS requests to resolve that name to an address. The replies are taken care of since PF is a stateful firewall so you only need to allow outbound DNS.

/etc/pf.conf
Code: 
udp_services="{ domain, ntp, bootpc }"

Most DNS request are UDP, however the general rule of thumb when it comes to services is both TCP and UDP are marked for that service. You can see this if you look in /etc/services that DNS port 53 is both TCP and UDP. Realistically, TCP queries are general confined to zone transfers between DNS servers. It's up to you and your needs to determine if you need to allow both TCP and UDP.
 
Last edited:
junovitch said:
The "host name not found" is the big tell here. Your current rules are very restrictive and you aren't allowing any outbound DNS requests to resolve that name to an address. The replies are taken care since PF is a stateful firewall so you only need to allow outbound DNS.

/etc/pf.conf
Code: 
udp_services="{ domain, ntp, bootpc }"

Most DNS request are UDP, however the general rule of thumb when it comes to services is both TCP and UDP are marked for that service. You can see this if you look in /etc/services that DNS port 53 is both TCP and UDP. Realistically, TCP queries are general confined to zone transfers between DNS services. It's up to you and your needs to determine if you need to allow both TCP and UDP.
Click to expand...

There are some pathological cases where a query has to be redone with TCP because UDP can not do the job, SRV records that won't fit into a single UDP datagram are such as far as I know.
 
kpa said:
There are some pathological cases where a query has to be redone with TCP because UDP can not do the job, SRV records that won't fit into a single UDP datagram are such as far as I know.
Click to expand...

Good point. I wouldn't have thought of that. There is EDNS0 extensions as well that's worth a read for a quick familiarization. Either way it probably is safest and simplest to just allow both TCP and UDP.

http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS
 
You must log in or register to reply here.
Back
Top