Date: Wed, 16 Jan 2002 15:37:08 +1100 From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: freebsd-security@freebsd.org Subject: Firewalls + NTP + dialup problems Message-ID: <20020116153707.C72285@gsmx07.alcatel.com.au>
next in thread | raw e-mail | index | archive | help
I'm having a problem running NTP over a dialup link between two hosts with fairly strict packet filtering. Both machines are running 4.4-STABLE from mid-December (just before the 4.5 freeze). +------+ +------+ +------+ +------+ | | enet | | ppp | | enet | | | net1 |-------|host1 |-------|host2 |-------| net2 | | | | | | | | | +------+ +------+ +------+ +------+ "ppp" is a dial-on-demand link that is initiated by host1 using ppp(8). "enet" are the ethernet links to the LANs (net1 and net2). "host2.ppp" refers to the IP address of the PPP interface on host2 etc. ppp(8) on host2 is configured using "Method 2" from the man page (ppp is started using getty's "pp" capability). Both hosts have a mixture of ipfw and PPP filter rules intended to restrict access from host2 and net2 to host1 and net1. All four sets of rules restrict PPP traffic to host1.ppp<->host2.ppp. Both hosts have each other listed as an NTP peer (along with other machines). The problem I've got is that when host2 reboots, there is no PPP connection and therefore host2.ppp doesn't exist (ppp ifconfig's it into existence when it gets an incoming call from host1). This means that ntpd only binds to host2.enet and host2.lo0. NTP packets from host2 to host1 have a source address of host2.enet - which is blocked by the firewall rules. So far, I've thought of the following: 1) Allow the address host2.enet on the PPP link. I don't like (or want to implement) this. 2) Make ntpd notice when host2.ppp is created and bind to it. ntpd(8) doesn't appear to have any suitable signal's trapped and the code to creat and bind sockets only appears to be invoked during initialisation. 3) Have host2.ppp always exist so ntpd can bind to it when it starts. I can't see any obvious way to achieve this. "ifconfig tun0" will create the address, but ppp then whinges and will delete the address when the link drops. Can anyone else offer any suggestions? Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020116153707.C72285>