etc/rc.firewall6

Chuck Swiger cswiger at mac.com
Thu Jul 17 23:21:31 UTC 2008 

On Jul 17, 2008, at 3:33 PM, Doug Barton wrote:
[ ... ]
> About the ntp stuff, 2 questions. First, you did not make the same  
> changes in the NTP section in the second hunk as you did in the  
> first, is that intentional?  Second, wouldn't it be better to  
> specify the port number (123) on both sides? NTP uses that same port  
> for sending and receiving queries, and I've always built firewalls  
> that way successfully.

David Mills' ntpd uses port 123 on both sides, true.  Other NTP  
implementations tend to use ephemeral ports; a quick histogram of 30  
seconds or so of traffic to a stratum-2 NTP server suggests about half  
of the NTP traffic out there uses other ports.

Regards,
-- 
-Chuck

# tcpdump -w ntp_packets.dump udp port 123
tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size  
96 bytes
^C
615 packets captured
897 packets received by filter
0 packets dropped by kernel

# tcpdump -nr ntp_packets.dump | wc -l
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
      615

# tcpdump -nr ntp_packets.dump | grep '.123 >' | wc -l
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
      347

Most of these above were packets sent by my server.  The rest have  
quite an assortment of source ports being used:

# tcpdump -nr ntp_packets.dump | grep -v '.123 >' | head
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
19:06:41.598527 IP 69.144.236.104.3186 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:06:41.620732 IP 70.169.250.10.297 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:06:41.755699 IP 63.118.102.151.47817 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:06:41.932513 IP 65.7.131.67.61897 > 199.103.21.227.123: NTPv3,  
Client, length 48
19:06:42.041643 IP 69.48.55.134.6 > 199.103.21.227.123: NTPv3, Client,  
length 48
19:06:42.098282 IP 64.211.94.227.32839 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:06:42.248041 IP 74.234.132.214.49846 > 199.103.21.227.123: NTPv3,  
Client, length 48
19:06:42.263930 IP 66.134.96.79.50420 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:06:42.338483 IP 38.115.128.242.12709 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:06:42.764847 IP 70.169.250.10.429 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
# tcpdump -nr ntp_packets.dump | grep -v '.123 >' | tail
reading from file ntp_packets.dump, link-type EN10MB (Ethernet)
19:07:09.302753 IP 170.235.223.10.47601 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:07:09.355610 IP 38.105.187.251.278 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:07:09.360286 IP 70.148.188.206.59640 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:07:09.502241 IP 138.210.238.176.26487 > 199.103.21.227.123: NTPv3,  
Client, length 48
19:07:09.838130 IP 66.89.121.68.13587 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:07:10.064838 IP 76.201.148.100.2050 > 199.103.21.227.123: NTPv3,  
Client, length 48
19:07:10.121137 IP 217.96.91.6.37920 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:07:10.124784 IP 70.169.250.10.24 > 199.103.21.227.123: NTPv3,  
symmetric active, length 48
19:07:10.203358 IP 24.154.104.34.40289 > 199.103.21.227.123: NTPv4,  
Client, length 48
19:07:10.234026 IP 64.178.45.44.1 > 199.103.21.227.123: NTPv4, Client,  
length 48

More information about the freebsd-net mailing list