From owner-freebsd-questions@FreeBSD.ORG  Sun Feb 13 14:38:56 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ED03D16A4CE
	for <freebsd-questions@freebsd.org>;
	Sun, 13 Feb 2005 14:38:56 +0000 (GMT)
Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es
	[62.174.254.182])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6A91C43D1D
	for <freebsd-questions@freebsd.org>;
	Sun, 13 Feb 2005 14:38:56 +0000 (GMT)
	(envelope-from norgaard@locolomo.org)
Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32])
	by top.daemonsecurity.com (Postfix) with ESMTP id D46E5FD01F;
	Sun, 13 Feb 2005 15:38:54 +0100 (CET)
Message-ID: <420F667D.9040402@locolomo.org>
Date: Sun, 13 Feb 2005 15:38:53 +0100
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050127
X-Accept-Language: en, en-us, da, it, es
MIME-Version: 1.0
To: dick hoogendijk <dick@nagual.st>
References: <20050213142036.09fb3b72.dick@nagual.st>
In-Reply-To: <20050213142036.09fb3b72.dick@nagual.st>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
Subject: Re: ipfilter and ntp sserver
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Feb 2005 14:38:57 -0000

dick hoogendijk wrote:
> I want my local ntp server up and running, so I put in /etc/rc.conf:
> xntpd_enable="YES" but waht are the right rules for ipfilter? Someting
> like:
> 
> # Allow out ntp traffic
> pass out quick on rl0 proto tcp from any to any port = 123 flags S keep
> state
> pass out quick on rl0 proto udp from any to any port = 123 keep state
> 
> Or do I have to open some ports incoming as well?

The above allows your server to request time from remote servers, either 
using ntpdate or ntpd. If you want to serve other workstations then you 
need to accept incoming connections.

> [ I think I need a good book about ipfilter ;-) ]

the ipfilter howto is good, allthough the nat-part can be a bit obscure.

> I mentioned tcp/udp because I read in /etc/services that ntp uses both.

ntp is udp-only, see rfc1305.

> Does keep state mean that automagically all incoming traffic will be OK
> (for ntp)

no. keep state means that when your server syncronizes with a remote ntp 
server, the reply packest are accepted. It does not allow incoming 
connections.

Cheers, Erik
-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2