From owner-freebsd-security Thu May 16 22:46: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by hub.freebsd.org (Postfix) with SMTP id E691737B407 for ; Thu, 16 May 2002 22:45:40 -0700 (PDT) Received: (qmail 22810 invoked by uid 0); 17 May 2002 05:45:40 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.317792 secs); 17 May 2002 05:45:40 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: wysxs@hotmail.com,freebsd-security@FreeBSD.ORG X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.317792 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by proxy.dolanmedia.com with SMTP; 17 May 2002 05:45:39 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 17 May 2002 00:45:39 -0500 Message-ID: <3CE49903.349E247A@dolaninformation.com> Date: Fri, 17 May 2002 00:45:39 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Tom Wang Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw udp dynamic rule don't work ? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tom Wang wrote: > > Hi, all > > I have a problem when I config ipfw on my Freebsd4.5 Box. the firewall > rules as following, > > allow tcp from any to any established > allow ip from any to any frag > ...... > check-state > allow tcp from ${oip} to any keep-state > allow udp from ${oip} to any keep-state The check-state rule will allow an established connections to pass thru the firewall. No real need for the early "allow tcp from any to any established" rule. I use this combo on my firewall: check-state deny log tcp from any to any established That way any packets with a spoofed ack bit set are dropped&logged. More information about tcp can be found at: http://www.networksorcery.com/enp/protocol/tcp.htm > > The box can't synchronize with any ntp servers. I think, "keep-state" can > keeps a small time window where it allows udp packets come back that comes > from ntp > server. but, it seems don't work. 'sysctl -a | grep fw | grep -v ipfw' will show you the system control variables involved with ipfw. You'll want to look at the value of net.inet.ip.fw.dyn_udp_lifetime. I believe it defaults to 10 seconds. If you are on a high latency link, you might want to increase it. But 10 seconds should be enough time to get a response from a ntp source. > > I must add following rules in my firewall ruleset ? and why? > > allow udp from {oip} to any 123 > allow udp from any 123 to {oip} > or > allow udp from {oip} to any 123 keep-state > ( this rule should as same as "allow udp from ${oip} to any keep-state" ) > Maybe try this rule for your ntp traffic(its the one I use) allow udp from ${oip} 123 to any 123 keep-state out via ${oif} Never had any problems with ntp and the above rule. All else fails make sure your last rule is at least logging the traffic that reaches it. Then check /var/log/security. Optionally you could run tcpdump and start-up ntpd and see what is going on. Good Luck, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message