Date: Wed, 4 Jan 2017 14:27:37 -0500 From: Allan Jude <allanjude@freebsd.org> To: Warren Block <wblock@wonkity.com>, Maxim Konovalov <maxim.konovalov@gmail.com> Cc: Warren Block <wblock@FreeBSD.org>, doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: Re: svn commit: r49600 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <c9ec7d52-df33-8bf6-9356-3cb27ab3a954@freebsd.org> In-Reply-To: <alpine.BSF.2.20.1701031454590.52533@wonkity.com> References: <201610281531.u9SFVL7u096914@repo.freebsd.org> <alpine.BSF.2.20.1701021904430.83306@mp2.macomnet.net> <alpine.BSF.2.20.1701022145290.98030@wonkity.com> <alpine.BSF.2.20.1701031927070.83306@mp2.macomnet.net> <alpine.BSF.2.20.1701031454590.52533@wonkity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0Q0CIaXFiFBqSVbGIdWJMhLS2NrTJUWeu Content-Type: multipart/mixed; boundary="cAn2ChjER0lCJcqSIWU0FeArooJBRKEak"; protected-headers="v1" From: Allan Jude <allanjude@freebsd.org> To: Warren Block <wblock@wonkity.com>, Maxim Konovalov <maxim.konovalov@gmail.com> Cc: Warren Block <wblock@FreeBSD.org>, doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Message-ID: <c9ec7d52-df33-8bf6-9356-3cb27ab3a954@freebsd.org> Subject: Re: svn commit: r49600 - head/en_US.ISO8859-1/books/handbook/firewalls References: <201610281531.u9SFVL7u096914@repo.freebsd.org> <alpine.BSF.2.20.1701021904430.83306@mp2.macomnet.net> <alpine.BSF.2.20.1701022145290.98030@wonkity.com> <alpine.BSF.2.20.1701031927070.83306@mp2.macomnet.net> <alpine.BSF.2.20.1701031454590.52533@wonkity.com> In-Reply-To: <alpine.BSF.2.20.1701031454590.52533@wonkity.com> --cAn2ChjER0lCJcqSIWU0FeArooJBRKEak Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2017-01-03 16:56, Warren Block wrote: > On Tue, 3 Jan 2017, Maxim Konovalov wrote: >=20 >>>> Hi Warren, >>>> >>>> On Fri, 28 Oct 2016, 15:31-0000, Warren Block wrote: >>>> >>>> [...] >>>>> # Allow outbound NTP >>>>> -$cmd 00260 allow tcp from any to any 37 out via $pif= >>>>> setup >>>>> keep-state >>>>> +$cmd 00260 allow udp from any to any 123 out via >>>>> $pif setup >>>>> keep-state >>>>> >>>>> # Allow outbound SSH >>>>> $cmd 00280 allow tcp from any to any 22 out via $pif= >>>>> setup >>>>> keep-state >>>>> >>>> Are you sure about this change? NTP is UDP based protocol. In the >>>> same time "setup" is TCP only feature (why ipfw(8) allows it to use = in >>>> conjunction with the UDP proto is a different story) >>>> >>>> I think the comment is what should be fixed here. >>> >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213365 suggested >>> merely >>> changing this to UDP 123. I don't use IPFW, so can't verify the >>> actual usage. >>> Help would be appreciated. >>> >> I'd remove the "setup" keyword from the command. Let me know if I can= >> go ahead with this change. >=20 > It's okay with me. Er, "Approved". It would be really nice if you > could test and verify it, but not required. >=20 > Thanks! >=20 It is indeed not required. The 'setup' keyword looks for the 'syn' flag on the TCP packet, saying this is the initiation of a new connection. Does not apply at all to UDP. --=20 Allan Jude --cAn2ChjER0lCJcqSIWU0FeArooJBRKEak-- --0Q0CIaXFiFBqSVbGIdWJMhLS2NrTJUWeu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJYbUysAAoJEBmVNT4SmAt+ApUQALrZ3T0gzrzrjmQAcB/NbthT IyuxbaXY8piPb5dhzsppB3Cy6uwMwD/ldb6JVMu18mkdbcnjx+LX7z3//UEDC2xk DIvs5PN8Y59BS7r5ZdliN6FkrEtSTQlax9Gt5DXktufIVZ6hOXMvzzEE0Aycm603 p+HCjgNHD2xFMASaa76MIuoqYD9HTxKD4JMULf1/CVhPK2eiRXSkgwiFQiCdk9Z1 w2yrAnUnmy6d/o9djMUQB7U1cVIs0dJ/num5LV/e8/45MFRshMPh3ClnHNK3D66I 4jpaMe4L2JZ4doQvDdFKVhruXFAgFonPfRB94EfvTP/EmWDPQgmE+MW4eByqBjaA AyUt+buqWYKKd+nDGNv2qL+rchqgZaZAIAmbHPMChjUAylpnvbjYvDbG6n5TudKo b0D5T8MrRZyY62jHMPyt1GQDMZh7Yg5K2+oRZtddHo8Hp+BSLe4fqi8EBwI9KF7P Uv++wCGuLI52ramkvZifAn0BwBT1DokwdIMY/sv1xL0lm6Kui0wlr2Uv64VUgO3F myKmsFsgxafbGGFxYZOwUK+CMt/hStALdkELXc2Xcc5iIzeIj4lPElbxQiNyroce dxcgZsTRWFp4Y4lGMOcVRJV5eANdQrhBNRMGPocU3McpB6dos1BieGg6Nkl7uqGk tjs28A9a1Jh2xSMEDGpw =12E9 -----END PGP SIGNATURE----- --0Q0CIaXFiFBqSVbGIdWJMhLS2NrTJUWeu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c9ec7d52-df33-8bf6-9356-3cb27ab3a954>