Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 and NTP
> I tried to open my firewall up to NTP (client) using the
> "FW_ALLOW_INCOMING_HIGHPORTS_UDP" in the" firewall2.rc.config" file.
> This did not work. The problem is that when the NTP request is sent to
> the server (dest port 123) the response was coming back with a source
> port of 123 as well. The "FW_ALLOW_INCOMING_HIGHPORTS_UDP" permits NTP
> replies on source ports 1024-65535. I fixed it by adding the following
> rule to "firewall2-custom.rc.config";
>
> iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
> udp --sport ntp --dport ntp
>
> (Opinions on the security of this rule welcome.)
>
> Is this a promblem with the NTP software/configuration on the client or
> server or a problem with SuSEfirewall2? SuSEfirewall2 is commented as
> follows, regarding the "FW_ALLOW_INCOMING_HIGHPORTS_UDP" option;
>
> # Common: "DNS" or "domain ntp", better is "yes" to be sure ...
>
> rickey

Try something like this:
FW_TRUSTED_NETS="... your.time.server.ip-address,udp,ntp"
and
FW_ALLOW_INCOMING_HIGHPORTS_UDP="... time"

Igor


< Previous Next >
Follow Ups