Date: Thu, 16 May 2002 15:23:59 -0700 From: "Tom Wang" <wysxs@hotmail.com> To: <freebsd-security@FreeBSD.ORG> Subject: ipfw udp dynamic rule don't work ? Message-ID: <OE61Nm3y8VhFexoFZzA0000fa08@hotmail.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi, all
I have a problem when I config ipfw on my Freebsd4.5 Box. the firewall rules as following,
allow tcp from any to any established
allow ip from any to any frag
......
check-state
allow tcp from ${oip} to any keep-state
allow udp from ${oip} to any keep-state
The box can't synchronize with any ntp servers. I think, "keep-state" can keeps a small time window where it allows udp packets come back that comes from ntp
server. but, it seems don't work.
I must add following rules in my firewall ruleset ? and why?
allow udp from {oip} to any 123
allow udp from any 123 to {oip}
or
allow udp from {oip} to any 123 keep-state
( this rule should as same as "allow udp from ${oip} to any keep-state" )
Thanks in advance.
Tom
[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi, all</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>I have a problem when I config ipfw on my
Freebsd4.5 Box. the firewall rules as following,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>allow tcp from any to any
established
<BR>allow ip from any to any
frag
<BR>......
<BR>check-state
<BR>allow tcp from ${oip} to any keep-state
<BR>allow udp from ${oip} to any keep-state </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>The box can't synchronize with any ntp servers. I
think, "keep-state" can keeps a small time window where it allows udp packets
come back that comes from ntp <BR>server. but, it seems don't
work.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>I must add following rules in my firewall ruleset ?
and why?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>allow udp from {oip} to any 123<BR>allow udp from
any 123 to {oip}</FONT></DIV>
<DIV><FONT face=Arial size=2>or </FONT></DIV>
<DIV><FONT face=Arial size=2>allow udp from {oip} to any 123 keep-state
</FONT></DIV>
<DIV><FONT face=Arial size=2>( this rule should as same as "allow udp from
${oip} to any keep-state" )</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Thanks in advance.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Tom<BR></FONT></DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE61Nm3y8VhFexoFZzA0000fa08>