From owner-freebsd-net@FreeBSD.ORG  Fri Jul 18 00:07:26 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A8C591065674
	for <freebsd-net@freebsd.org>; Fri, 18 Jul 2008 00:07:26 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from asmtpout022.mac.com (asmtpout022.mac.com [17.148.16.97])
	by mx1.freebsd.org (Postfix) with ESMTP id 82B798FC33
	for <freebsd-net@freebsd.org>; Fri, 18 Jul 2008 00:07:26 +0000 (UTC)
	(envelope-from cswiger@mac.com)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Received: from cswiger1.apple.com ([17.227.140.124])
	by asmtp022.mac.com (Sun Java(tm) System Messaging Server 6.3-6.03
	(built Mar
	14 2008; 32bit)) with ESMTPSA id <0K4600DOWCOWW863@asmtp022.mac.com> for
	freebsd-net@freebsd.org; Thu, 17 Jul 2008 16:46:09 -0700 (PDT)
Sender: cswiger@mac.com
Message-id: <7CD8CD0E-0150-438C-BD50-D2A8C2210280@mac.com>
From: Chuck Swiger <cswiger@mac.com>
To: Max Laier <max@love2party.net>
In-reply-to: <200807180135.35912.max@love2party.net>
Date: Thu, 17 Jul 2008 16:46:08 -0700
References: <743720911.20080717222210@rulez.sk> <487FC8B1.4070003@FreeBSD.org>
	<615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com>
	<200807180135.35912.max@love2party.net>
X-Mailer: Apple Mail (2.928.1)
Cc: freebsd-net@freebsd.org
Subject: Re: etc/rc.firewall6
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jul 2008 00:07:26 -0000

On Jul 17, 2008, at 4:35 PM, Max Laier wrote:
>> David Mills' ntpd uses port 123 on both sides, true.  Other NTP
>> implementations tend to use ephemeral ports; a quick histogram of 30
>> seconds or so of traffic to a stratum-2 NTP server suggests about  
>> half
>> of the NTP traffic out there uses other ports.
>
> Don't forget PNAT.  I'd also argue that the rc.firewall6 in base is
> supposed to work with the ntpd in base.  We should, however, not  
> forget
> about ntpdate, which seems to use ephemeral ports.

Certainly some forms of NAT might also "scrub" ntpd's use of port 123  
to some random higher port, true enough.  It's not recommended that  
machines providing time service to others have NAT in the way, though,  
so that circumstance wasn't at the top of my mind.  :-)

-- 
-Chuck