On Tue, 9 Jul 2002 10:52:41 -0500 "David A. Bandel" <[EMAIL PROTECTED]> wrote:
> On Tue, 9 Jul 2002 11:08:23 -0400 > begin Matthew Carpenter <[EMAIL PROTECTED]> spewed forth: > > [snip] > > > > > > The above is "your system to Internet on ntp port (123)", the next > > > rule is"Internet to your system on ntp port". > > > > Not quite. The first one your system to Anywhere for NTP. The second > > rule is another machine to the outside of the firewall on NTP and has > > no business being there unless your firewall is going to provide NTP > > to this other machine. > > Umm. You said the same thing I did, so how can it be "not quite"? I > just didn't judge the sagacity of allowing the world to use him as an > NTP server (maybe he _wants_ to). I have a system that I and my > customers(perhaps 150 or so systems) use as an NTP server (and it's > slaved off time.nist.gov). He didn't say if that was also his case. I did not say what you did. If you meant to say it differently, that's not my fault, but you did not say anything clearly. If I were to write rules based on what you said, they would be something like: target tosa tosx ifname source destination ports ACCEPT udp 0xFF 0x00 eth1 198.82.161.227 0.0.0.0 * -> 123 ACCEPT udp 0xFF 0x00 eth1 0.0.0.0 198.82.161.227 * -> 123 but what he gave is: target tosa tosx ifname source destination ports ACCEPT udp 0xFF 0x00 eth1 198.82.161.227 0.0.0.0 * -> 123 ACCEPT udp 0xFF 0x00 eth1 198.82.162.213 68.36.44.105 * -> 123 (68.36.44.105 being the external IP of the firewall) 198.82.161.227: proxy.cc.vt.edu 198.82.162.213: lennier.cc.vt.edu 68.36.44.105: bgp387816bgs.jersyc01.nj.comcast.net Where are you looking? How does the next rule is"Internet to your system on ntp port". fit into this description at all? What I said was WRONG, as I had not done the lookups to figure out that 198.82.x.x were the hosts being synched with.... I revise my statement to say that (assuming NTP outbound is accepted): rule 1: Internet NTP Server's replies to anywhere controlled by your firewall are accepted. rule 2: Another Internet NTP Servers replies to your Firewall. Rule 1 would work for responses from that server to your network, as long as udp123 outbound is accepted traffic. Rule 2 would work for responses either directly to the firewall or for hosts being MASQ'ed _______________________________________________ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.