Date: Fri, 17 May 2002 00:45:39 -0500 From: Greg Panula <greg.panula@dolaninformation.com> To: Tom Wang <wysxs@hotmail.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw udp dynamic rule don't work ? Message-ID: <3CE49903.349E247A@dolaninformation.com> References: <OE61Nm3y8VhFexoFZzA0000fa08@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Wang wrote:
>
> Hi, all
>
> I have a problem when I config ipfw on my Freebsd4.5 Box. the firewall
> rules as following,
>
> allow tcp from any to any established
> allow ip from any to any frag
> ......
> check-state
> allow tcp from ${oip} to any keep-state
> allow udp from ${oip} to any keep-state
The check-state rule will allow an established connections to pass thru the
firewall. No real need for the early "allow tcp from any to any
established" rule.
I use this combo on my firewall:
check-state
deny log tcp from any to any established
That way any packets with a spoofed ack bit set are dropped&logged. More
information about tcp can be found at:
http://www.networksorcery.com/enp/protocol/tcp.htm
>
> The box can't synchronize with any ntp servers. I think, "keep-state" can
> keeps a small time window where it allows udp packets come back that comes
> from ntp
> server. but, it seems don't work.
'sysctl -a | grep fw | grep -v ipfw' will show you the system control
variables involved with ipfw.
You'll want to look at the value of net.inet.ip.fw.dyn_udp_lifetime. I
believe it defaults to 10 seconds. If you are on a high latency link, you
might want to increase it. But 10 seconds should be enough time to get a
response from a ntp source.
>
> I must add following rules in my firewall ruleset ? and why?
>
> allow udp from {oip} to any 123
> allow udp from any 123 to {oip}
> or
> allow udp from {oip} to any 123 keep-state
> ( this rule should as same as "allow udp from ${oip} to any keep-state" )
>
Maybe try this rule for your ntp traffic(its the one I use)
allow udp from ${oip} 123 to any 123 keep-state out via ${oif}
Never had any problems with ntp and the above rule.
All else fails make sure your last rule is at least logging the traffic that
reaches it. Then check /var/log/security. Optionally you could run tcpdump
and start-up ntpd and see what is going on.
Good Luck,
Greg
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CE49903.349E247A>