From owner-freebsd-net@FreeBSD.ORG Thu Jul 17 23:35:39 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6070E1065670 for ; Thu, 17 Jul 2008 23:35:39 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id D4D688FC16 for ; Thu, 17 Jul 2008 23:35:38 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-030-033.pools.arcor-ip.net [88.66.30.33]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1KJd0a3r83-0000hy; Fri, 18 Jul 2008 01:35:37 +0200 Received: (qmail 64305 invoked from network); 17 Jul 2008 23:35:36 -0000 Received: from myhost.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 17 Jul 2008 23:35:36 -0000 From: Max Laier Organization: FreeBSD To: freebsd-net@freebsd.org Date: Fri, 18 Jul 2008 01:35:35 +0200 User-Agent: KMail/1.9.9 References: <743720911.20080717222210@rulez.sk> <487FC8B1.4070003@FreeBSD.org> <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com> In-Reply-To: <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807180135.35912.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19phQuCjBm/8tPbuGRijI4HfDay+l1Z594K86g 3B3DokptgjXeREedx4F3Xvj0ms3iwE8v1i78pJMcvrvGwGq+BS WLdAhc2mb+OYOhiQrySjA== Cc: Daniel Gerzo , Doug Barton Subject: Re: etc/rc.firewall6 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 23:35:39 -0000 On Friday 18 July 2008 01:21:28 Chuck Swiger wrote: > On Jul 17, 2008, at 3:33 PM, Doug Barton wrote: > [ ... ] > > > About the ntp stuff, 2 questions. First, you did not make the same > > changes in the NTP section in the second hunk as you did in the > > first, is that intentional? Second, wouldn't it be better to > > specify the port number (123) on both sides? NTP uses that same port > > for sending and receiving queries, and I've always built firewalls > > that way successfully. > > David Mills' ntpd uses port 123 on both sides, true. Other NTP > implementations tend to use ephemeral ports; a quick histogram of 30 > seconds or so of traffic to a stratum-2 NTP server suggests about half > of the NTP traffic out there uses other ports. Don't forget PNAT. I'd also argue that the rc.firewall6 in base is supposed to work with the ntpd in base. We should, however, not forget about ntpdate, which seems to use ephemeral ports. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News