[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    interesting ntp problem
From:       Jack Twilley <jmt () tbe ! net>
Date:       2000-12-24 17:57:41
[Download RAW message or body]

--=-=-=

I have a small network set up behind a firewall running OpenBSD 2.8 on
a Sparc IPX.  I upgraded the ipf software to 3.4.15 (thanks Patrick!)
to make sure that this problem still existed in the current rev of the
software.

I have a time server set up at 10.74.84.2, and a primary server set up
at 10.74.84.1.  For some reason, the primary server can send and
receive from external ntp servers but the time server cannot.  The
time server can communicate with the primary server, but not the
external servers.  Unfortunately, I don't have root access to an
external ntp server to see if packets are getting out, but they're
surely not returning.

I've attached my rulesets to the foot of this message.  Hopefully
someone can help me figure out what's going on.

Jack.
-- 
Jack Twilley
jmt at tbe dot net
http colon slash slash www dot tbe dot net slash tilde jmt slash

--=-=-=
Content-Disposition: attachment; filename=ipf.rules
Content-Description: ipf.rules for my network

# rules to kill bad things
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr

# global default rules
pass out quick on lo0
pass in quick on lo0

pass out quick on le1
pass in quick on le1

# unroutable addresses
block out quick on le0 from any to 192.168.0.0/16
block out quick on le0 from any to 172.16.0.0/12
block out quick on le0 from any to 10.0.0.0/8
block out quick on le0 from any to 127.0.0.0/8
block in quick on le0 from 192.168.0.0/16 to any
block in quick on le0 from 172.16.0.0/12 to any
block in quick on le0 from 10.0.0.0/8 to any
block in quick on le0 from 127.0.0.0/8 to any

# smurfing and anti-spoofing stuff
block in log quick on le0 from 10.74.84.0/24 to any
block in log quick on le0 from any to 10.74.84.0/32
block in log quick on le0 from any to 10.74.84.255/32

# icmp crap
pass in quick on le0 proto icmp from any to 10.74.84.0/24 icmp-type 0
pass in quick on le0 proto icmp from any to 10.74.84.0/24 icmp-type 11
pass out quick on le0 proto icmp from any to any keep state

# permitted stuff
pass in quick on le0 proto tcp from any to 10.74.84.0/24 port = 22 flags S keep state keep frags
pass in quick on le0 proto tcp from any to 10.74.84.0/24 port = 80 flags S keep state keep frags
pass out quick on le0 proto tcp from 10.74.84.0/24 to any flags S keep state keep frags
pass out quick on le0 proto udp from 10.74.84.0/24 to any keep state keep frags

# deny and log
pass out log on le0
#block return-rst in log body on le0 proto tcp from any to any
#block return-icmp-as-dest(port-unr) in log body on le0 proto udp from any to any
#block in log on le0 proto icmp from any to any

--=-=-=
Content-Disposition: attachment; filename=ipnat.rules
Content-Description: ipnat.rules for my network

# forwarded stuff
rdr le0 64.81.68.81/32 port 22 -> 10.74.84.1 port ssh
rdr le0 64.81.68.81/32 port 80 -> 10.74.84.1 port www

# masquerading crap
map le0 10.74.84.0/24 -> 64.81.68.81/32 proxy port ftp ftp/tcp
map le0 10.74.84.0/24 -> 64.81.68.81/32

--=-=-=--

[prev in list] [next in list] [prev in thread] [next in thread]