Date: Tue, 3 Jan 2017 14:56:15 -0700 (MST) From: Warren Block <wblock@wonkity.com> To: Maxim Konovalov <maxim.konovalov@gmail.com> Cc: Warren Block <wblock@FreeBSD.org>, doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: Re: svn commit: r49600 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <alpine.BSF.2.20.1701031454590.52533@wonkity.com> In-Reply-To: <alpine.BSF.2.20.1701031927070.83306@mp2.macomnet.net> References: <201610281531.u9SFVL7u096914@repo.freebsd.org> <alpine.BSF.2.20.1701021904430.83306@mp2.macomnet.net> <alpine.BSF.2.20.1701022145290.98030@wonkity.com> <alpine.BSF.2.20.1701031927070.83306@mp2.macomnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 3 Jan 2017, Maxim Konovalov wrote: >>> Hi Warren, >>> >>> On Fri, 28 Oct 2016, 15:31-0000, Warren Block wrote: >>> >>> [...] >>>> # Allow outbound NTP >>>> -$cmd 00260 allow tcp from any to any 37 out via $pif setup >>>> keep-state >>>> +$cmd 00260 allow udp from any to any 123 out via $pif setup >>>> keep-state >>>> >>>> # Allow outbound SSH >>>> $cmd 00280 allow tcp from any to any 22 out via $pif setup >>>> keep-state >>>> >>> Are you sure about this change? NTP is UDP based protocol. In the >>> same time "setup" is TCP only feature (why ipfw(8) allows it to use in >>> conjunction with the UDP proto is a different story) >>> >>> I think the comment is what should be fixed here. >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213365 suggested merely >> changing this to UDP 123. I don't use IPFW, so can't verify the actual usage. >> Help would be appreciated. >> > I'd remove the "setup" keyword from the command. Let me know if I can > go ahead with this change. It's okay with me. Er, "Approved". It would be really nice if you could test and verify it, but not required. Thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1701031454590.52533>