Date: Sun, 12 Dec 1999 01:38:17 CST From: "Sean Heber" <sheber@mwci.net> To: freebsd-questions@freebsd.org Subject: ntpdate and firewall rules (maybe) Message-ID: <944984297_PM_BeOS.sheber@mwci.net>
next in thread | raw e-mail | index | archive | help
Hello.
I had someone who knows firewall rules much better than I setup a system of mine
for maximum security. I just noticed that since I implemented those rules I
can no longer use ntpdate. It always seems to fail saying it cannot find a
server. After a bit of digging I'm pretty sure that the problem is simple--the
packets can't get back to ntpdate. So then I tried playing with my firewall
rules. Luckily the server is still sitting here and not in some far off
hosting place as I managed to screw things up pretty bad. :-)
So, after a bunch of mucking around, I have decided I have no clue how to fix
this NTP problem. What rules do I need to add to my configuration to allow
NTP to work?
Here's what I'm using now:
# Stop RFC1918 nets on the outside interface
$fwcmd add deny log all from 192.168.0.0:255.255.0.0 to any in recv ${oif}
$fwcmd add deny log all from 172.16.0.0:255.240.0.0 to any in recv ${oif}
$fwcmd add deny log all from 10.0.0.0:255.0.0.0 to any in recv ${oif}
# Allow any ip (tcp and udp) packets to go out the outside interface
$fwcmd add pass all from any to any out xmit ${oif}
# Allow established tcp connections from outside interface
$fwcmd add pass tcp from any to any in recv ${oif} established
#allows smtp
$fwcmd add pass log tcp from any to any 25 in recv ${oif} setup
#allows ssh
$fwcmd add pass log tcp from any to any 22 in recv ${oif} setup
#allows ftp
$fwcmd add pass log tcp from any to any 20 in recv ${oif} setup
$fwcmd add pass log tcp from any to any 21 in recv ${oif} setup
$fwcmd add pass log tcp from any 20 to any in recv ${oif} setup
$fwcmd add pass log tcp from any 21 to any in recv ${oif} setup
#allows http
$fwcmd add pass log tcp from any to any 80 in recv ${oif} setup
#allows pop3
$fwcmd add pass log tcp from any to any 110 in recv ${oif} setup
# Deny and log setup of any other tcp connections from outside interface
$fwcmd add deny log tcp from any to any in recv ${oif} setup
# Allow replies to DNS queries from outside interface
$fwcmd add pass udp from any 53 to any 1024-65535 in recv ${oif}
$fwcmd add pass udp from any to any 53 in recv ${oif}
# Allow outbound pings
$fwcmd add pass icmp from any to any in recv ${oif} icmptypes 0
$fwcmd add pass icmp from any to any out xmit ${oif} icmptypes 8
# Allow outbound traceroutes
$fwcmd add pass icmp from any to any in recv ${oif} icmptypes 3
$fwcmd add pass icmp from any to any in recv ${oif} icmptypes 11
# Everything else is denied by default, but let's log it too
$fwcmd add 65534 deny log ip from any to any
Thanks!
l8r
Sean
http://www.bebits.com/
BeBits - All the best BeOS software.
-----------------------------------
This message was sent with the demo version of Postmaster, a BeOS mail client.
For more information, please visit http://kennyc.com/postmaster.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?944984297_PM_BeOS.sheber>