Date: Thu, 17 Jul 2008 16:21:28 -0700 From: Chuck Swiger <cswiger@mac.com> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-net@freebsd.org, Daniel Gerzo <danger@FreeBSD.org> Subject: Re: etc/rc.firewall6 Message-ID: <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com> In-Reply-To: <487FC8B1.4070003@FreeBSD.org> References: <743720911.20080717222210@rulez.sk> <487FC8B1.4070003@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 17, 2008, at 3:33 PM, Doug Barton wrote:
[ ... ]
> About the ntp stuff, 2 questions. First, you did not make the same
> changes in the NTP section in the second hunk as you did in the
> first, is that intentional? Second, wouldn't it be better to
> specify the port number (123) on both sides? NTP uses that same port
> for sending and receiving queries, and I've always built firewalls
> that way successfully.
David Mills' ntpd uses port 123 on both sides, true. Other NTP
implementations tend to use ephemeral ports; a quick histogram of 30
seconds or so of traffic to a stratum-2 NTP server suggests about half
of the NTP traffic out there uses other ports.
Regards,
--
-Chuck
# tcpdump -w ntp_packets.dump udp port 123
tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size
96 bytes
^C
615 packets captured
897 packets received by filter
0 packets dropped by kernel
# tcpdump -nr ntp_packets.dump | wc -l
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
615
# tcpdump -nr ntp_packets.dump | grep '.123 >' | wc -l
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
347
Most of these above were packets sent by my server. The rest have
quite an assortment of source ports being used:
# tcpdump -nr ntp_packets.dump | grep -v '.123 >' | head
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
19:06:41.598527 IP 69.144.236.104.3186 > 199.103.21.227.123: NTPv4,
Client, length 48
19:06:41.620732 IP 70.169.250.10.297 > 199.103.21.227.123: NTPv3,
symmetric active, length 48
19:06:41.755699 IP 63.118.102.151.47817 > 199.103.21.227.123: NTPv4,
Client, length 48
19:06:41.932513 IP 65.7.131.67.61897 > 199.103.21.227.123: NTPv3,
Client, length 48
19:06:42.041643 IP 69.48.55.134.6 > 199.103.21.227.123: NTPv3, Client,
length 48
19:06:42.098282 IP 64.211.94.227.32839 > 199.103.21.227.123: NTPv4,
Client, length 48
19:06:42.248041 IP 74.234.132.214.49846 > 199.103.21.227.123: NTPv3,
Client, length 48
19:06:42.263930 IP 66.134.96.79.50420 > 199.103.21.227.123: NTPv3,
symmetric active, length 48
19:06:42.338483 IP 38.115.128.242.12709 > 199.103.21.227.123: NTPv3,
symmetric active, length 48
19:06:42.764847 IP 70.169.250.10.429 > 199.103.21.227.123: NTPv3,
symmetric active, length 48
# tcpdump -nr ntp_packets.dump | grep -v '.123 >' | tail
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
19:07:09.302753 IP 170.235.223.10.47601 > 199.103.21.227.123: NTPv3,
symmetric active, length 48
19:07:09.355610 IP 38.105.187.251.278 > 199.103.21.227.123: NTPv3,
symmetric active, length 48
19:07:09.360286 IP 70.148.188.206.59640 > 199.103.21.227.123: NTPv4,
Client, length 48
19:07:09.502241 IP 138.210.238.176.26487 > 199.103.21.227.123: NTPv3,
Client, length 48
19:07:09.838130 IP 66.89.121.68.13587 > 199.103.21.227.123: NTPv3,
symmetric active, length 48
19:07:10.064838 IP 76.201.148.100.2050 > 199.103.21.227.123: NTPv3,
Client, length 48
19:07:10.121137 IP 217.96.91.6.37920 > 199.103.21.227.123: NTPv4,
Client, length 48
19:07:10.124784 IP 70.169.250.10.24 > 199.103.21.227.123: NTPv3,
symmetric active, length 48
19:07:10.203358 IP 24.154.104.34.40289 > 199.103.21.227.123: NTPv4,
Client, length 48
19:07:10.234026 IP 64.178.45.44.1 > 199.103.21.227.123: NTPv4, Client,
length 48
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?615CAFFA-48AF-4207-A838-B8AB58B6EE76>