Date: Fri, 18 Jul 2008 01:35:35 +0200 From: Max Laier <max@love2party.net> To: freebsd-net@freebsd.org Cc: Daniel Gerzo <danger@freebsd.org>, Doug Barton <dougb@freebsd.org> Subject: Re: etc/rc.firewall6 Message-ID: <200807180135.35912.max@love2party.net> In-Reply-To: <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com> References: <743720911.20080717222210@rulez.sk> <487FC8B1.4070003@FreeBSD.org> <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 18 July 2008 01:21:28 Chuck Swiger wrote: > On Jul 17, 2008, at 3:33 PM, Doug Barton wrote: > [ ... ] > > > About the ntp stuff, 2 questions. First, you did not make the same > > changes in the NTP section in the second hunk as you did in the > > first, is that intentional? Second, wouldn't it be better to > > specify the port number (123) on both sides? NTP uses that same port > > for sending and receiving queries, and I've always built firewalls > > that way successfully. > > David Mills' ntpd uses port 123 on both sides, true. Other NTP > implementations tend to use ephemeral ports; a quick histogram of 30 > seconds or so of traffic to a stratum-2 NTP server suggests about half > of the NTP traffic out there uses other ports. Don't forget PNAT. I'd also argue that the rc.firewall6 in base is supposed to work with the ntpd in base. We should, however, not forget about ntpdate, which seems to use ephemeral ports. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807180135.35912.max>