Date: Thu, 16 May 2002 15:23:59 -0700 From: "Tom Wang" <wysxs@hotmail.com> To: <freebsd-security@FreeBSD.ORG> Subject: ipfw udp dynamic rule don't work ? Message-ID: <OE61Nm3y8VhFexoFZzA0000fa08@hotmail.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_009A_01C1FCED.B3F65AC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi, all
I have a problem when I config ipfw on my Freebsd4.5 Box. the firewall =
rules as following,
allow tcp from any to any established =20
allow ip from any to any frag =20
...... =20
check-state =20
allow tcp from ${oip} to any keep-state =20
allow udp from ${oip} to any keep-state =20
The box can't synchronize with any ntp servers. I think, "keep-state" =
can keeps a small time window where it allows udp packets come back that =
comes from ntp=20
server. but, it seems don't work.
I must add following rules in my firewall ruleset ? and why?
allow udp from {oip} to any 123
allow udp from any 123 to {oip}
or=20
allow udp from {oip} to any 123 keep-state=20
( this rule should as same as "allow udp from ${oip} to any keep-state" =
)
Thanks in advance.
Tom
------=_NextPart_000_009A_01C1FCED.B3F65AC0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi, all</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I have a problem when I config ipfw on =
my=20
Freebsd4.5 Box. the firewall rules as following,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>allow tcp from any to any=20
established &n=
bsp; =20
<BR>allow ip from any to any=20
frag &nb=
sp; =20
<BR>...... =20
<BR>check-state &nbs=
p;  =
; =
=20
<BR>allow tcp from ${oip} to any =
keep-state =20
<BR>allow udp from ${oip} to any keep-state </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The box can't synchronize with any ntp =
servers. I=20
think, "keep-state" can keeps a small time window where it allows udp =
packets=20
come back that comes from ntp <BR>server. but, it seems don't=20
work.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I must add following rules in my =
firewall ruleset ?=20
and why?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>allow udp from {oip} to any =
123<BR>allow udp from=20
any 123 to {oip}</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>or </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>allow udp from {oip} to any 123 =
keep-state=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>( this rule should as same as "allow =
udp from=20
${oip} to any keep-state" )</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks in advance.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Tom<BR></FONT></DIV></BODY></HTML>
------=_NextPart_000_009A_01C1FCED.B3F65AC0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE61Nm3y8VhFexoFZzA0000fa08>