From owner-freebsd-security  Thu May 16 12:52:58 2002
Delivered-To: freebsd-security@freebsd.org
Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80])
	by hub.freebsd.org (Postfix) with SMTP id 9929737B400
	for <freebsd-security@FreeBSD.ORG>; Thu, 16 May 2002 12:52:50 -0700 (PDT)
Received: (qmail 13933 invoked by uid 1001); 16 May 2002 19:52:49 -0000
Date: Thu, 16 May 2002 15:52:49 -0400
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: Tom Wang <wysxs@hotmail.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw udp dynamic rule don't work ?
Message-ID: <20020516155249.A13879@cowbert.2y.net>
Reply-To: peter.lai@uconn.edu
References: <OE61Nm3y8VhFexoFZzA0000fa08@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <OE61Nm3y8VhFexoFZzA0000fa08@hotmail.com>; from wysxs@hotmail.com on Thu, May 16, 2002 at 03:23:59PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I have a suspicion as to this causing ntp issues on my machine too.
Every once in a while, ntpd loses the line discipline for no
reason. This doesn't happen when I disable ipfw totally.

On Thu, May 16, 2002 at 03:23:59PM -0700, Tom Wang wrote:
> Hi, all
> 
> I have a problem when I config ipfw on my Freebsd4.5 Box. the firewall rules as following,
> 
> allow tcp from any to any established                  
> allow ip from any to any frag                  
> ......        
> check-state                                            
> allow tcp from ${oip} to any keep-state      
> allow udp from ${oip} to any keep-state  
> 
> The box can't synchronize with any ntp servers. I think, "keep-state" can keeps a small time window where it allows udp packets come back that comes from ntp 
> server.  but, it seems don't work.
> 
> I must add following rules in my firewall ruleset ? and why?
> 
> allow udp from {oip} to any 123
> allow udp from any 123 to {oip}
> or 
> allow udp from {oip} to any 123 keep-state 
> ( this rule should as same as "allow udp from ${oip} to any keep-state" )
> 
> Thanks in advance.
> 
> Tom
> 

-- 
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology | Undergraduate Research Assistant
http://cowbert.2y.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message