max at love2party.net
Thu Jul 17 23:35:39 UTC 2008
On Friday 18 July 2008 01:21:28 Chuck Swiger wrote:
> On Jul 17, 2008, at 3:33 PM, Doug Barton wrote:
> [ ... ]
> > About the ntp stuff, 2 questions. First, you did not make the same
> > changes in the NTP section in the second hunk as you did in the
> > first, is that intentional? Second, wouldn't it be better to
> > specify the port number (123) on both sides? NTP uses that same port
> > for sending and receiving queries, and I've always built firewalls
> > that way successfully.
> David Mills' ntpd uses port 123 on both sides, true. Other NTP
> implementations tend to use ephemeral ports; a quick histogram of 30
> seconds or so of traffic to a stratum-2 NTP server suggests about half
> of the NTP traffic out there uses other ports.
Don't forget PNAT. I'd also argue that the rc.firewall6 in base is
supposed to work with the ntpd in base. We should, however, not forget
about ntpdate, which seems to use ephemeral ports.
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-net