Date: Thu, 17 Jul 2008 16:46:08 -0700 From: Chuck Swiger <cswiger@mac.com> To: Max Laier <max@love2party.net> Cc: freebsd-net@freebsd.org Subject: Re: etc/rc.firewall6 Message-ID: <7CD8CD0E-0150-438C-BD50-D2A8C2210280@mac.com> In-Reply-To: <200807180135.35912.max@love2party.net> References: <743720911.20080717222210@rulez.sk> <487FC8B1.4070003@FreeBSD.org> <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com> <200807180135.35912.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 17, 2008, at 4:35 PM, Max Laier wrote: >> David Mills' ntpd uses port 123 on both sides, true. Other NTP >> implementations tend to use ephemeral ports; a quick histogram of 30 >> seconds or so of traffic to a stratum-2 NTP server suggests about >> half >> of the NTP traffic out there uses other ports. > > Don't forget PNAT. I'd also argue that the rc.firewall6 in base is > supposed to work with the ntpd in base. We should, however, not > forget > about ntpdate, which seems to use ephemeral ports. Certainly some forms of NAT might also "scrub" ntpd's use of port 123 to some random higher port, true enough. It's not recommended that machines providing time service to others have NAT in the way, though, so that circumstance wasn't at the top of my mind. :-) -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7CD8CD0E-0150-438C-BD50-D2A8C2210280>