Chuck Swiger wrote:
On Jun 6, 2011, at 10:39 AM, Ask Bjørn Hansen wrote:
ip6tables on Linux doesn't seem to have state tracking and it appears I messed
up the firewall rules a bit. I realized it last night actually as I was going
to bed, but it was already crazy o'clock. I will get them fixed within an
hour or so.
You almost certainly don't want to be implementing stateful rules for NTP
traffic; you'll fill up the state table with lots of entries for no benefit, as
UDP isn't stateful.
Just pass UDP 123 and ephemeral high ports in both directions.
Of course that way you open all your high ports to internet for those
clever attackers that use source port 123.
When you have services running on high ports this may not be wise.
In a stateful firewall it is not the protocol that necessarily is
stateful, but the firewall is.
(it can allow responses to requests and deny unsolicited traffic)
Rob
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
