From owner-freebsd-net@FreeBSD.ORG  Thu Jul 17 23:21:31 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 44BF71065672
	for <freebsd-net@freebsd.org>; Thu, 17 Jul 2008 23:21:31 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from asmtpout016.mac.com (asmtpout016.mac.com [17.148.16.91])
	by mx1.freebsd.org (Postfix) with ESMTP id 203258FC16
	for <freebsd-net@freebsd.org>; Thu, 17 Jul 2008 23:21:30 +0000 (UTC)
	(envelope-from cswiger@mac.com)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Received: from cswiger1.apple.com ([17.227.140.124])
	by asmtp016.mac.com (Sun Java(tm) System Messaging Server 6.3-6.03
	(built Mar
	14 2008; 32bit)) with ESMTPSA id <0K4600HRXBJTEGX3@asmtp016.mac.com>;
	Thu, 17 Jul 2008 16:21:30 -0700 (PDT)
Sender: cswiger@mac.com
Message-id: <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com>
From: Chuck Swiger <cswiger@mac.com>
To: Doug Barton <dougb@FreeBSD.org>
In-reply-to: <487FC8B1.4070003@FreeBSD.org>
Date: Thu, 17 Jul 2008 16:21:28 -0700
References: <743720911.20080717222210@rulez.sk> <487FC8B1.4070003@FreeBSD.org>
X-Mailer: Apple Mail (2.928.1)
Cc: freebsd-net@freebsd.org, Daniel Gerzo <danger@FreeBSD.org>
Subject: Re: etc/rc.firewall6
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jul 2008 23:21:31 -0000

On Jul 17, 2008, at 3:33 PM, Doug Barton wrote:
[ ... ]
> About the ntp stuff, 2 questions. First, you did not make the same  
> changes in the NTP section in the second hunk as you did in the  
> first, is that intentional?  Second, wouldn't it be better to  
> specify the port number (123) on both sides? NTP uses that same port  
> for sending and receiving queries, and I've always built firewalls  
> that way successfully.

David Mills' ntpd uses port 123 on both sides, true.  Other NTP  
implementations tend to use ephemeral ports; a quick histogram of 30  
seconds or so of traffic to a stratum-2 NTP server suggests about half  
of the NTP traffic out there uses other ports.

Regards,
-- 
-Chuck

# tcpdump -w ntp_packets.dump udp port 123
tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size  
96 bytes
^C
615 packets captured
897 packets received by filter
0 packets dropped by kernel

# tcpdump -nr ntp_packets.dump | wc -l
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
      615

# tcpdump -nr ntp_packets.dump | grep '.123 >' | wc -l
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
      347

Most of these above were packets sent by my server.  The rest have  
quite an assortment of source ports being used:

# tcpdump -nr ntp_packets.dump | grep -v '.123 >' | head
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
19:06:41.598527 IP 69.144.236.104.3186 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:06:41.620732 IP 70.169.250.10.297 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:06:41.755699 IP 63.118.102.151.47817 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:06:41.932513 IP 65.7.131.67.61897 > 199.103.21.227.123: NTPv3,  
Client, length 48
19:06:42.041643 IP 69.48.55.134.6 > 199.103.21.227.123: NTPv3, Client,  
length 48
19:06:42.098282 IP 64.211.94.227.32839 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:06:42.248041 IP 74.234.132.214.49846 > 199.103.21.227.123: NTPv3,  
Client, length 48
19:06:42.263930 IP 66.134.96.79.50420 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:06:42.338483 IP 38.115.128.242.12709 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:06:42.764847 IP 70.169.250.10.429 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
# tcpdump -nr ntp_packets.dump | grep -v '.123 >' | tail
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
19:07:09.302753 IP 170.235.223.10.47601 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:07:09.355610 IP 38.105.187.251.278 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:07:09.360286 IP 70.148.188.206.59640 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:07:09.502241 IP 138.210.238.176.26487 > 199.103.21.227.123: NTPv3,  
Client, length 48
19:07:09.838130 IP 66.89.121.68.13587 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:07:10.064838 IP 76.201.148.100.2050 > 199.103.21.227.123: NTPv3,  
Client, length 48
19:07:10.121137 IP 217.96.91.6.37920 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:07:10.124784 IP 70.169.250.10.24 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:07:10.203358 IP 24.154.104.34.40289 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:07:10.234026 IP 64.178.45.44.1 > 199.103.21.227.123: NTPv4, Client,  
length 48