From owner-svn-doc-head@freebsd.org Wed Jan 4 19:27:42 2017 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4B76C9FC9B; Wed, 4 Jan 2017 19:27:42 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A939315CF; Wed, 4 Jan 2017 19:27:42 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 3158A136E4; Wed, 4 Jan 2017 19:27:41 +0000 (UTC) Subject: Re: svn commit: r49600 - head/en_US.ISO8859-1/books/handbook/firewalls To: Warren Block , Maxim Konovalov References: <201610281531.u9SFVL7u096914@repo.freebsd.org> Cc: Warren Block , doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org From: Allan Jude Message-ID: Date: Wed, 4 Jan 2017 14:27:37 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0Q0CIaXFiFBqSVbGIdWJMhLS2NrTJUWeu" X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2017 19:27:43 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0Q0CIaXFiFBqSVbGIdWJMhLS2NrTJUWeu Content-Type: multipart/mixed; boundary="cAn2ChjER0lCJcqSIWU0FeArooJBRKEak"; protected-headers="v1" From: Allan Jude To: Warren Block , Maxim Konovalov Cc: Warren Block , doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Message-ID: Subject: Re: svn commit: r49600 - head/en_US.ISO8859-1/books/handbook/firewalls References: <201610281531.u9SFVL7u096914@repo.freebsd.org> In-Reply-To: --cAn2ChjER0lCJcqSIWU0FeArooJBRKEak Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2017-01-03 16:56, Warren Block wrote: > On Tue, 3 Jan 2017, Maxim Konovalov wrote: >=20 >>>> Hi Warren, >>>> >>>> On Fri, 28 Oct 2016, 15:31-0000, Warren Block wrote: >>>> >>>> [...] >>>>> # Allow outbound NTP >>>>> -$cmd 00260 allow tcp from any to any 37 out via $pif= >>>>> setup >>>>> keep-state >>>>> +$cmd 00260 allow udp from any to any 123 out via >>>>> $pif setup >>>>> keep-state >>>>> >>>>> # Allow outbound SSH >>>>> $cmd 00280 allow tcp from any to any 22 out via $pif= >>>>> setup >>>>> keep-state >>>>> >>>> Are you sure about this change? NTP is UDP based protocol. In the >>>> same time "setup" is TCP only feature (why ipfw(8) allows it to use = in >>>> conjunction with the UDP proto is a different story) >>>> >>>> I think the comment is what should be fixed here. >>> >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213365 suggested >>> merely >>> changing this to UDP 123. I don't use IPFW, so can't verify the >>> actual usage. >>> Help would be appreciated. >>> >> I'd remove the "setup" keyword from the command. Let me know if I can= >> go ahead with this change. >=20 > It's okay with me. Er, "Approved". It would be really nice if you > could test and verify it, but not required. >=20 > Thanks! >=20 It is indeed not required. The 'setup' keyword looks for the 'syn' flag on the TCP packet, saying this is the initiation of a new connection. Does not apply at all to UDP. --=20 Allan Jude --cAn2ChjER0lCJcqSIWU0FeArooJBRKEak-- --0Q0CIaXFiFBqSVbGIdWJMhLS2NrTJUWeu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJYbUysAAoJEBmVNT4SmAt+ApUQALrZ3T0gzrzrjmQAcB/NbthT IyuxbaXY8piPb5dhzsppB3Cy6uwMwD/ldb6JVMu18mkdbcnjx+LX7z3//UEDC2xk DIvs5PN8Y59BS7r5ZdliN6FkrEtSTQlax9Gt5DXktufIVZ6hOXMvzzEE0Aycm603 p+HCjgNHD2xFMASaa76MIuoqYD9HTxKD4JMULf1/CVhPK2eiRXSkgwiFQiCdk9Z1 w2yrAnUnmy6d/o9djMUQB7U1cVIs0dJ/num5LV/e8/45MFRshMPh3ClnHNK3D66I 4jpaMe4L2JZ4doQvDdFKVhruXFAgFonPfRB94EfvTP/EmWDPQgmE+MW4eByqBjaA AyUt+buqWYKKd+nDGNv2qL+rchqgZaZAIAmbHPMChjUAylpnvbjYvDbG6n5TudKo b0D5T8MrRZyY62jHMPyt1GQDMZh7Yg5K2+oRZtddHo8Hp+BSLe4fqi8EBwI9KF7P Uv++wCGuLI52ramkvZifAn0BwBT1DokwdIMY/sv1xL0lm6Kui0wlr2Uv64VUgO3F myKmsFsgxafbGGFxYZOwUK+CMt/hStALdkELXc2Xcc5iIzeIj4lPElbxQiNyroce dxcgZsTRWFp4Y4lGMOcVRJV5eANdQrhBNRMGPocU3McpB6dos1BieGg6Nkl7uqGk tjs28A9a1Jh2xSMEDGpw =12E9 -----END PGP SIGNATURE----- --0Q0CIaXFiFBqSVbGIdWJMhLS2NrTJUWeu--