Re: Gui for configuring NTP

"jdow" <jdow@xxxxxxxxxxxxx> · Sat, 10 Dec 2005 04:31:08 -0800

From: "taharka" <res00vl8@xxxxxxxxxx>
Howdy jdow,
On Fri, 2005-12-09 at 21:22 -0800, jdow wrote:

From: "taharka" <res00vl8@xxxxxxxxxx>
> Howdy,

> 
> On Fri, 2005-12-09 at 18:40 -0600, Nathaniel Hall wrote:

>> Scot L. Harris wrote: 
>> > On Fri, 2005-12-09 at 19:12, jdow wrote:

>> >   
>> > > From: "Paul Smith" <phhs80@xxxxxxxxx>

>> > > 
>> > >     
>> > 
>> >   
>> > > > > > Is your iptables open for NTP?

>> > > > > > I have this:

>> > > > > > -A INPUT -s 66.187.233.4 -p udp -m udp --sport 123 --dport 123 -j ACCEPT

>> > > > > > -A INPUT -s 66.187.224.4 -p udp -m udp --sport 123 --dport 123 -j ACCEPT

>> > > > > >           
>> > > 
>> > > NOTE: that is only good if you have "clock1.redhat.com" as your clock

>> > > server. Make it correct for the clock server you select. You may have to

>> > > make it a range of addresses.

>> > > 
>> > >     
>> > 
>> > Why would you need to open these ports to have your system update it's

>> > time using NTP?  My systems seem to get NTP updates just fine sitting

>> > behind a firewall that does not have these ports opened.

>> > 
>> > 
>> >   
>> Then it isn't a firewall.  Well, I guess it could be, but it is a very

>> poor firewall.  I'll almost guarantee that the ports are open, you

>> just don't know it.

> That simply isn't so. All my systems are sitting behind a hardware

> firewall & I can guarantee that the ports are not open. The thing is,

> the firewall will cheerfully pass a request to the outside from a client

> system & return whatever is requested. Unless, some sort of rule is set

> explicitly telling it not to do so. This is the way a firewall is

> supposed to work.
<voice, Gildersleeve>Oh reeeeaaally!</voice>
I always set firewalls to drop packets unless told by some other rule

to do something with them. The old "ipfwd" did not do a good job with

regards to UDP "connections" such as "ntp" uses. So I generally had to

explicitly open the firewall holes needed to pass the external DNS

servers and NTP servers I used. The initial (more or less direct

translation) I used with iptables suffered the same problem. As I 
became more proficient with iptables and trimmed cruft (and used

ip_connect_track) the UDP issue subsided.

m0n0wall/Netboz/pfsense are all FreeBSD based & use ipfw. At the moment,
I'm running m0n0wall with the stock ruleset listed below. No problems
what-so-ever with UDP/ntp connections.

I had the impression the old OLD ipfwd on Linux was quite different
from the ipfw on FreeBSD. For the old ipfwd setup I started with the
firewall from the Trinity OS Project and progressively tweaked it
into doing what I needed in a slow stepwise manner. When it came time
to change to iptables I made an initial somewhat ham-handed
transformation and had some problems with "over-security". I was closed
down too tightly. Over time iptables seems to have matured (greatly)
and the rule sets are slimming down nicely. I still do some strange
things with it from time to time. So it's not setup by a standard
firewall tool. I'd be lost trying to tell it what I am doing. {^_-}
(The easy part is opening a nice vertical (all ports) hole to a
specific trusted system "out there." The medium hard part is opening
a specific second hole to a single address "out there" using the
trusted machine acccess to get in so I can perform the tweak. The
hard part is opening a hole that directs packets to and from a
specific port on my XP machine for streaming video. I don't do that
very often. The uplink I have is WAY too slow to make it practical.)
So I simply have a file I use to setup the firewalls my way. It's a
fairly simple bash shell file that accepts some variables on its
input, optionally. With that I can change the structure of the
firewall in literally seconds. It's handy.
{^_^}
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Re: Gui for configuring NTP

Relevant Pages