Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
[suse-security] SuSEfirewall2 and NTP
  • From: Rickey Ingrassia <r1ckey@xxxxxxxxx>
  • Date: Tue, 15 Jan 2002 21:45:19 -0800
  • Message-id: <3C45136F.9010502@xxxxxxxxx>
I tried to open my firewall up to NTP (client) using the "FW_ALLOW_INCOMING_HIGHPORTS_UDP" in the" firewall2.rc.config" file. This did not work. The problem is that when the NTP request is sent to the server (dest port 123) the response was coming back with a source port of 123 as well. The "FW_ALLOW_INCOMING_HIGHPORTS_UDP" permits NTP replies on source ports 1024-65535. I fixed it by adding the following rule to "firewall2-custom.rc.config";

iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p udp --sport ntp --dport ntp

(Opinions on the security of this rule welcome.)

Is this a promblem with the NTP software/configuration on the client or server or a problem with SuSEfirewall2? SuSEfirewall2 is commented as follows, regarding the "FW_ALLOW_INCOMING_HIGHPORTS_UDP" option;

# Common: "DNS" or "domain ntp", better is "yes" to be sure ...

rickey



< Previous Next >