Date: Fri, 17 May 2002 00:45:39 -0500 From: Greg Panula <greg.panula@dolaninformation.com> To: Tom Wang <wysxs@hotmail.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw udp dynamic rule don't work ? Message-ID: <3CE49903.349E247A@dolaninformation.com> References: <OE61Nm3y8VhFexoFZzA0000fa08@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Wang wrote: > > Hi, all > > I have a problem when I config ipfw on my Freebsd4.5 Box. the firewall > rules as following, > > allow tcp from any to any established > allow ip from any to any frag > ...... > check-state > allow tcp from ${oip} to any keep-state > allow udp from ${oip} to any keep-state The check-state rule will allow an established connections to pass thru the firewall. No real need for the early "allow tcp from any to any established" rule. I use this combo on my firewall: check-state deny log tcp from any to any established That way any packets with a spoofed ack bit set are dropped&logged. More information about tcp can be found at: http://www.networksorcery.com/enp/protocol/tcp.htm > > The box can't synchronize with any ntp servers. I think, "keep-state" can > keeps a small time window where it allows udp packets come back that comes > from ntp > server. but, it seems don't work. 'sysctl -a | grep fw | grep -v ipfw' will show you the system control variables involved with ipfw. You'll want to look at the value of net.inet.ip.fw.dyn_udp_lifetime. I believe it defaults to 10 seconds. If you are on a high latency link, you might want to increase it. But 10 seconds should be enough time to get a response from a ntp source. > > I must add following rules in my firewall ruleset ? and why? > > allow udp from {oip} to any 123 > allow udp from any 123 to {oip} > or > allow udp from {oip} to any 123 keep-state > ( this rule should as same as "allow udp from ${oip} to any keep-state" ) > Maybe try this rule for your ntp traffic(its the one I use) allow udp from ${oip} 123 to any 123 keep-state out via ${oif} Never had any problems with ntp and the above rule. All else fails make sure your last rule is at least logging the traffic that reaches it. Then check /var/log/security. Optionally you could run tcpdump and start-up ntpd and see what is going on. Good Luck, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CE49903.349E247A>