From owner-freebsd-questions Sun Dec 12 0: 7:11 1999 Delivered-To: freebsd-questions@freebsd.org Received: from altair.pm-tech.com (altair.pm-tech.com [198.99.87.19]) by hub.freebsd.org (Postfix) with SMTP id CFD9F15095 for ; Sun, 12 Dec 1999 00:07:06 -0800 (PST) (envelope-from gregc@pm-tech.com) Received: from localhost (1755 bytes) by altair.pm-tech.com via sendmail with P:stdio/R:inet_hosts/T:smtp (sender: ) (ident using unix) id for ; Sun, 12 Dec 1999 03:07:04 -0500 (EST) (Smail-3.2.0.106 1999-Mar-31 #4 built 1999-Jun-6) Message-Id: From: gregc@pm-tech.com (Greg Cronau) Subject: Re: ntpdate and firewall rules (maybe) To: sheber@mwci.net Date: Sun, 12 Dec 1999 03:07:04 -0500 (EST) Cc: freebsd-questions@freebsd.org In-Reply-To: <944984297_PM_BeOS.sheber@mwci.net> from "Sean Heber" at Dec 12, 99 01:38:17 am Reply-To: gregc@pm-tech.com Organization: PM Technologies X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1189 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Sean Heber > >Hello. > >I had someone who knows firewall rules much better than I setup a system of >mine for maximum security. I just noticed that since I implemented those >rules I can no longer use ntpdate. It always seems to fail saying it cannot >find a server. After a bit of digging I'm pretty sure that the problem is >simple--the packets can't get back to ntpdate. So then I tried playing with >my firewall rules. Luckily the server is still sitting here and not in some >far off hosting place as I managed to screw things up pretty bad. :-) > >So, after a bunch of mucking around, I have decided I have no clue how to fix > this NTP problem. What rules do I need to add to my configuration to allow > NTP to work? > >Here's what I'm using now: > > [List of rules deleted.] Those arn't bad firewall rules, they could use some improvments, but they'll do for now. For ntp you want to add the following rule just before the last one: $fwcmd add pass udp from any ntp to any ntp in recv ${oif} Your firewall code should be able to resolve "ntp" using the contents of /etc/services. If it doesn't, replace "ntp" in this rule with "123". --- Greg Cronau gregc@pm-tech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message