Mailinglist Archive: opensuse-security (757 mails)
| < Previous | Next > |
[suse-security] SuSEfirewall2 and NTP
- From: Rickey Ingrassia <r1ckey@xxxxxxxxx>
- Date: Tue, 15 Jan 2002 21:45:19 -0800
- Message-id: <3C45136F.9010502@xxxxxxxxx>
I tried to open my firewall up to NTP (client) using the
"FW_ALLOW_INCOMING_HIGHPORTS_UDP" in the" firewall2.rc.config" file.
This did not work. The problem is that when the NTP request is sent to
the server (dest port 123) the response was coming back with a source
port of 123 as well. The "FW_ALLOW_INCOMING_HIGHPORTS_UDP" permits NTP
replies on source ports 1024-65535. I fixed it by adding the following
rule to "firewall2-custom.rc.config";
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p udp --sport ntp --dport ntp
(Opinions on the security of this rule welcome.)
Is this a promblem with the NTP software/configuration on the client or server or a problem with SuSEfirewall2? SuSEfirewall2 is commented as follows, regarding the "FW_ALLOW_INCOMING_HIGHPORTS_UDP" option;
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
rickey
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p udp --sport ntp --dport ntp
(Opinions on the security of this rule welcome.)
Is this a promblem with the NTP software/configuration on the client or server or a problem with SuSEfirewall2? SuSEfirewall2 is commented as follows, regarding the "FW_ALLOW_INCOMING_HIGHPORTS_UDP" option;
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
rickey
| < Previous | Next > |