Re: [pmfirewall] ntpdate not working

From: Alain SMEDTS (alain_smedts@hotmail.com)
Date: Tue Aug 08 2000 - 11:41:32 PDT

• Next message: Tomer Okavi: "RE: [pmfirewall] pmfirewall on a mail server"
• Previous message: Joseph Lee Pereira: "[pmfirewall] pmfirewall on a mail server"
• Maybe in reply to: Alain SMEDTS: "[pmfirewall] ntpdate not working"

Jim,

Thanks, this solved the problem.
I don't understand why the following didn't work:
$IPCHAINS -A input -p tcp -s $OUTERIP/32 -d $OUTERNET 123 -j ACCEPT
$IPCHAINS -A input -p udp -s $OUTERIP/32 -d $OUTERNET 123 -j ACCEPT

I don't run the NTP daemon on my Linux, the W98 box also connects to my ISP
timeserver to get the time.

 Alain

--------------------------------------
I dont think its a big, ntp bas been working just fine for me...

I haven't heard of anything bad about leaving port 123 open, as long as
you aren't running the ntp daemon, you should be fine.

You should have both of these lines in your pmfirewall.rules.local file:

$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 123 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 123 -j ACCEPT

As you can see ntp runs on both tcp and udp.

Jim

Quoting Alain SMEDTS (alain_smedts@hotmail.com) [00.08.04 03:10]:
> I'm using pmfirewall on Linux as a gateway to the internet. When
installing PMFIREWALL I replied that NTP should be allowed. This is also
reflected in pmfirewall.rules.local where everything coming from A.B.C.D/24
is allowed to go to $OUTERNET. From my W98 box I can use ntp without any
problem, however from my Linux box, NTP traffic is blocked. >From the log
file I can see that this is because ntpdate generates traffic with $OUTERIP,
not with $INNERIP. I assume that I have to add a line to allow $OUTERIP
access to $OUTERNET on port 123. Is this to be considered a bug in
pmfirewall? Is opening this port dangerous?
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*

• Next message: Tomer Okavi: "RE: [pmfirewall] pmfirewall on a mail server"
• Previous message: Joseph Lee Pereira: "[pmfirewall] pmfirewall on a mail server"
• Maybe in reply to: Alain SMEDTS: "[pmfirewall] ntpdate not working"

This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:35:42 PDT