ipchains rule question: Destination ip

Matthew Carpenter matt
Mon May 17 11:34:39 PDT 2004 

On Tue, 9 Jul 2002 10:52:41 -0500
"David A. Bandel" <david at pananix.com> wrote:

> On Tue, 9 Jul 2002 11:08:23 -0400
> begin  Matthew Carpenter <matt at eisgr.com> spewed forth:
> 
> [snip]
> > > 
> > > The above is "your system to Internet on ntp port (123)", the next
> > > rule is"Internet to your system on ntp port".
> > 
> > Not quite.  The first one your system to Anywhere for NTP.  The second
> > rule is another machine to the outside of the firewall on NTP and has
> > no business being there unless your firewall is going to provide NTP
> > to this other machine.
> 
> Umm.  You said the same thing I did, so how can it be "not quite"?  I
> just didn't judge the sagacity of allowing the world to use him as an
> NTP server (maybe he _wants_ to).  I have a system that I and my
> customers(perhaps 150 or so systems) use as an NTP server (and it's
> slaved off time.nist.gov).  He didn't say if that was also his case.

I did not say what you did.  If you meant to say it differently, that's
not my fault, but you did not say anything clearly.  If I were to write
rules based on what you said, they would be something like:

target      tosa tosx  ifname source          destination         ports
ACCEPT udp  0xFF 0x00  eth1   198.82.161.227  0.0.0.0           * ->   123
ACCEPT udp  0xFF 0x00  eth1   0.0.0.0         198.82.161.227    * ->   123


but what he gave is:

target      tosa tosx  ifname source          destination         ports
ACCEPT udp  0xFF 0x00  eth1   198.82.161.227  0.0.0.0      * ->   123
ACCEPT udp  0xFF 0x00  eth1   198.82.162.213  68.36.44.105 * ->   123
(68.36.44.105 being the external IP of the firewall)

198.82.161.227:		proxy.cc.vt.edu
198.82.162.213:		lennier.cc.vt.edu
68.36.44.105:		bgp387816bgs.jersyc01.nj.comcast.net

Where are you looking?  How does 
	the next rule is"Internet to your system on ntp port".
fit into this description at all?

What I said was WRONG, as I had not done the lookups to figure out that
198.82.x.x were the hosts being synched with....
I revise my statement to say that (assuming NTP outbound is accepted):
rule 1:		Internet NTP Server's replies to anywhere controlled by your
firewall are accepted.
rule 2:		Another Internet NTP Servers replies to your Firewall.

Rule 1 would work for responses from that server to your network, as long
as udp123 outbound is accepted traffic.
Rule 2 would work for responses either directly to the firewall or for
hosts being MASQ'ed

More information about the Linux-users mailing list