Re: ipchains rule question: Destination ip

Tue, 09 Jul 2002 09:57:28 -0700 

On Tue, 9 Jul 2002 10:52:41 -0500
"David A. Bandel" <[EMAIL PROTECTED]> wrote:

> On Tue, 9 Jul 2002 11:08:23 -0400
> begin  Matthew Carpenter <[EMAIL PROTECTED]> spewed forth:
> 
> [snip]
> > > 
> > > The above is "your system to Internet on ntp port (123)", the next
> > > rule is"Internet to your system on ntp port".
> > 
> > Not quite.  The first one your system to Anywhere for NTP.  The second
> > rule is another machine to the outside of the firewall on NTP and has
> > no business being there unless your firewall is going to provide NTP
> > to this other machine.
> 
> Umm.  You said the same thing I did, so how can it be "not quite"?  I
> just didn't judge the sagacity of allowing the world to use him as an
> NTP server (maybe he _wants_ to).  I have a system that I and my
> customers(perhaps 150 or so systems) use as an NTP server (and it's
> slaved off time.nist.gov).  He didn't say if that was also his case.

I did not say what you did.  If you meant to say it differently, that's
not my fault, but you did not say anything clearly.  If I were to write
rules based on what you said, they would be something like:

target      tosa tosx  ifname source          destination         ports
ACCEPT udp  0xFF 0x00  eth1   198.82.161.227  0.0.0.0           * ->   123
ACCEPT udp  0xFF 0x00  eth1   0.0.0.0         198.82.161.227    * ->   123


but what he gave is:

target      tosa tosx  ifname source          destination         ports
ACCEPT udp  0xFF 0x00  eth1   198.82.161.227  0.0.0.0      * ->   123
ACCEPT udp  0xFF 0x00  eth1   198.82.162.213  68.36.44.105 * ->   123
(68.36.44.105 being the external IP of the firewall)

198.82.161.227:         proxy.cc.vt.edu
198.82.162.213:         lennier.cc.vt.edu
68.36.44.105:           bgp387816bgs.jersyc01.nj.comcast.net

Where are you looking?  How does 
        the next rule is"Internet to your system on ntp port".
fit into this description at all?

What I said was WRONG, as I had not done the lookups to figure out that
198.82.x.x were the hosts being synched with....
I revise my statement to say that (assuming NTP outbound is accepted):
rule 1:         Internet NTP Server's replies to anywhere controlled by your
firewall are accepted.
rule 2:         Another Internet NTP Servers replies to your Firewall.

Rule 1 would work for responses from that server to your network, as long
as udp123 outbound is accepted traffic.
Rule 2 would work for responses either directly to the firewall or for
hosts being MASQ'ed
_______________________________________________
Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users
Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.

Reply via email to