svn commit: r49600 - head/en_US.ISO8859-1/books/handbook/firewalls
Allan Jude
allanjude at freebsd.org
Wed Jan 4 19:27:43 UTC 2017
On 2017-01-03 16:56, Warren Block wrote:
> On Tue, 3 Jan 2017, Maxim Konovalov wrote:
>
>>>> Hi Warren,
>>>>
>>>> On Fri, 28 Oct 2016, 15:31-0000, Warren Block wrote:
>>>>
>>>> [...]
>>>>> # Allow outbound NTP
>>>>> -$cmd 00260 allow tcp from any to any 37 out via $pif
>>>>> setup
>>>>> keep-state
>>>>> +$cmd 00260 allow udp from any to any 123 out via
>>>>> $pif setup
>>>>> keep-state
>>>>>
>>>>> # Allow outbound SSH
>>>>> $cmd 00280 allow tcp from any to any 22 out via $pif
>>>>> setup
>>>>> keep-state
>>>>>
>>>> Are you sure about this change? NTP is UDP based protocol. In the
>>>> same time "setup" is TCP only feature (why ipfw(8) allows it to use in
>>>> conjunction with the UDP proto is a different story)
>>>>
>>>> I think the comment is what should be fixed here.
>>>
>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213365 suggested
>>> merely
>>> changing this to UDP 123. I don't use IPFW, so can't verify the
>>> actual usage.
>>> Help would be appreciated.
>>>
>> I'd remove the "setup" keyword from the command. Let me know if I can
>> go ahead with this change.
>
> It's okay with me. Er, "Approved". It would be really nice if you
> could test and verify it, but not required.
>
> Thanks!
>
It is indeed not required. The 'setup' keyword looks for the 'syn' flag
on the TCP packet, saying this is the initiation of a new connection.
Does not apply at all to UDP.
--
Allan Jude
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-doc-head/attachments/20170104/ea47d1b9/attachment.sig>
More information about the svn-doc-head
mailing list