IPFW and NTP

D

danaeckel

Greetings,

I have been working on my home server and all is going well. I compiled my kernel with IPFW, and set up the config to use "SIMPLE" rules rather than define my own. Main reason is lack of knowledge on what should be open, and what should be closed. I thought a SIMPLE would be enough until I got NTP up and running. If I close my firewall my clients will get the time just fine, if I raise up the firewall, they are denied. Can I make a simple change in rc.firewall to fix this?

Thanks!
Dana
 
The simplest way would be to allow UDP port 123 through; both incoming and outgoing.

Code: 
ipfw add pass udp from any to any 123
 
I tried it, and it didn't work for me. Here is the code that is already in place
Code: 
# Allow NTP queries out in the world
	${fwcmd} add pass udp from me to any 123 keep-state

The server will pull in time from the inernet during boot. If I comment out this line it won't get the time during boot. As of right now, my Windows laptop can't even pull in time from Windows time site.
 
danaeckel said:
I tried it ...
Code: 
... from me to any ...
Click to expand...

Did you really try, what Ajira suggested? Namely
Code: 
... from any to any ...

me is a synonym for all the interfaces of your server only, that means that the network interfaces of your clients are not covered by this rule.
 
Yeah I did, I tried it by itself, then the server wouldn't get the time, I tried it with the other line I submitted, clients wouldn't get the time, I also changes the line above from "me to any" to "any to any"

Dana
 
Something new just popped up, now when my client went to renew DHCP my server cut off access. Once again re-activated after I deactivated the firewall. Is there a place I can get a new rc.firewall file? I think I may have tweaked it too much.
 
Thank You,
I downloaded the file, but didn't fix anything. The SIMPLE firewall setting blocks DHCP as well as NTP. Is this normal? Am I going to have to define firewall rules?
 
In my firewall the directive is:

Code: 
ipfw add allow udp from any to any 123 via any

and it works perfectly. Try it. Also, if you have ntpd running, kill it for testing purposes and issue at the command prompt:

[cmd=]ntpdate pool.ntp.org[/cmd]

to check the result.
 
Code: 
ipfw add allow udp from me to any ntp out via $NET_IF uid root keep-state

Don't know why but I have keep-state for ntp rule. I know udp is stateless, however think I had problem with ntp without keep-state.

Perhaps my memory is joking on me, or it's a bug in ipfw
 
UDP is stateless in its nature but a firewall can handle an UDP connection in a stateful way, the first packet seen creates a state and also determines the direction of the connection.
 
UDP "state" is derived from the combination of source IP:port, and destination IP:port. That's why you need to keep state on UDP rules.
 
The original line needs to be deleted right? Any hints or tips about the DHCP issue? Also a side question, why wouldn't it work with the SIMPLE firewall? Is it just that secure, or a bug? If it is secure, I am quite impressed with how secure it is.
 
You must log in or register to reply here.
Back
Top