Re: ntp + pf

[Ben Goren <ben@trumpetpower.com>]

You  should be  fine, unless  you want  the rest  of the  world to
access your NTP server (which you don't).

To confirm, run ntpq -p to see what ntpd thinks of its peers.

b&

On Mon, Apr 29, 2002 at 08:16:59PM +0200, fransoa holop wrote:
> hello,
>
> my /etc/pf.conf is a la FAQ, now i was wondering
> (and i have null experience with firewalls yet)
> does ntp need its port 123 tcp/udp to be open?
> or does the keep state thingy take care of that
> (line 11-12)?
>
> ntp doesn't complain (loudly), and i am a little
> bit confused.  i started wondering because the last
> log is from 26. apr. and only after the reboot process:
>
> Apr 26 21:19:16 z ntpd[21909]: ntpd 4.1.72@1.762-r Wed Apr 10 03:43:15 MDT
2002 (1)
> Apr 26 21:19:17 z ntpd[21909]: kernel time discipline status 0040
> Apr 26 21:24:01 z ntpd[21909]: time reset 90.093277 s
> Apr 26 21:24:01 z ntpd[21909]: kernel time discipline status change 41
>
>
> /etc/pf.conf
> --------------------------------
> ext_if=xl0
>
> scrub in all
>
> block  in on $ext_if all
>
> pass   in on $ext_if inet proto tcp from any to any port 22 keep state
> pass   in on $ext_if inet proto tcp from any to any port 80 keep state
>
> block out on $ext_if                 all
> pass  out on $ext_if inet proto tcp  all flags S/SA keep state
> pass  out on $ext_if inet proto udp  all            keep state
> # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> pass  out on $ext_if inet proto icmp all            keep state
> ---------
>
> --
> oh no, not deja-vu again.  oh no, not deja-vu again.

--
Ben Goren
 mailto:ben@trumpetpower.com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]