From owner-freebsd-security Thu May 16 12:23: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe61.pav1.hotmail.com [64.4.30.196]) by hub.freebsd.org (Postfix) with ESMTP id 4971337B40A for ; Thu, 16 May 2002 12:22:40 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 16 May 2002 12:22:40 -0700 X-Originating-IP: [207.112.2.1] Reply-To: "Tom Wang" From: "Tom Wang" To: Subject: ipfw udp dynamic rule don't work ? Date: Thu, 16 May 2002 15:23:59 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_009A_01C1FCED.B3F65AC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Message-ID: X-OriginalArrivalTime: 16 May 2002 19:22:40.0200 (UTC) FILETIME=[0B7A8480:01C1FD0F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_009A_01C1FCED.B3F65AC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, all I have a problem when I config ipfw on my Freebsd4.5 Box. the firewall = rules as following, allow tcp from any to any established =20 allow ip from any to any frag =20 ...... =20 check-state =20 allow tcp from ${oip} to any keep-state =20 allow udp from ${oip} to any keep-state =20 The box can't synchronize with any ntp servers. I think, "keep-state" = can keeps a small time window where it allows udp packets come back that = comes from ntp=20 server. but, it seems don't work. I must add following rules in my firewall ruleset ? and why? allow udp from {oip} to any 123 allow udp from any 123 to {oip} or=20 allow udp from {oip} to any 123 keep-state=20 ( this rule should as same as "allow udp from ${oip} to any keep-state" = ) Thanks in advance. Tom ------=_NextPart_000_009A_01C1FCED.B3F65AC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi, all
 
I have a problem when I config ipfw on = my=20 Freebsd4.5 Box. the firewall rules as following,
 
allow tcp from any to any=20 established          &n= bsp;      =20
allow ip from any to any=20 frag           &nb= sp;     =20
......       =20
check-state         &nbs= p;            = ;            =          =20
allow tcp from ${oip} to any = keep-state     =20
allow udp from ${oip} to any keep-state 
 
The box can't synchronize with any ntp = servers. I=20 think, "keep-state" can keeps a small time window where it allows udp = packets=20 come back that comes from ntp
server.  but, it seems don't=20 work.
 
I must add following rules in my = firewall ruleset ?=20 and why?
 
allow udp from {oip} to any = 123
allow udp from=20 any 123 to {oip}
or
allow udp from {oip} to any 123 = keep-state=20
( this rule should as same as "allow = udp from=20 ${oip} to any keep-state" )
 
Thanks in advance.
 
Tom
------=_NextPart_000_009A_01C1FCED.B3F65AC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message