On Jun 7, 2011, at 1:51 AM, Rob Janssen wrote: >> You almost certainly don't want to be implementing stateful rules for NTP >> traffic; you'll fill up the state table with lots of entries for no benefit, >> as UDP isn't stateful. >> >> Just pass UDP 123 and ephemeral high ports in both directions. >> > > Of course that way you open all your high ports to internet for those clever > attackers that use source port 123.
Yes, and even unclever attackers who simply use a random high port. > When you have services running on high ports this may not be wise. However, it's not likely that many folks will be running any UDP servers on a high port. About the only thing I can recall which listens on high UDP ports that I've seen in use is 5353/udp for Multicast DNS. However, if someone is running some other UDP service which needs protecting, then they're obviously welcome to adjust to suit their needs. > In a stateful firewall it is not the protocol that necessarily is stateful, > but the firewall is. > (it can allow responses to requests and deny unsolicited traffic) Yes. Regards, -- -Chuck _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
