Re: [suse-security] SuSEfirewall2 and NTP
I tried to open my firewall up to NTP (client) using the "FW_ALLOW_INCOMING_HIGHPORTS_UDP" in the" firewall2.rc.config" file. This did not work. The problem is that when the NTP request is sent to the server (dest port 123) the response was coming back with a source port of 123 as well. The "FW_ALLOW_INCOMING_HIGHPORTS_UDP" permits NTP replies on source ports 1024-65535. I fixed it by adding the following rule to "firewall2-custom.rc.config";
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p udp --sport ntp --dport ntp
(Opinions on the security of this rule welcome.)
Is this a promblem with the NTP software/configuration on the client or server or a problem with SuSEfirewall2? SuSEfirewall2 is commented as follows, regarding the "FW_ALLOW_INCOMING_HIGHPORTS_UDP" option;
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
rickey
Try something like this: FW_TRUSTED_NETS="... your.time.server.ip-address,udp,ntp" and FW_ALLOW_INCOMING_HIGHPORTS_UDP="... time" Igor
* Igor Nichvolodin wrote on Wed, Jan 16, 2002 at 11:47 +0100:
the server (dest port 123) the response was coming back with a source port of 123 as well. The "FW_ALLOW_INCOMING_HIGHPORTS_UDP" permits NTP replies on source ports 1024-65535. I fixed it by adding the following rule to "firewall2-custom.rc.config";
Try something like this: FW_TRUSTED_NETS="... your.time.server.ip-address,udp,ntp" and FW_ALLOW_INCOMING_HIGHPORTS_UDP="... time"
Maybe you misunderstood the question? I think the high ports thing is working but of course usually NTP servers answer port 123->123. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Igor Nichvolodin
-
Steffen Dettmer