I don't know how ip6tables works, but most (all?) commercial firewalls I've worked with - which means Cisco and Checkpoint - maintain a connection in the connection table for UDP for a set period of time. Exactly how long that is, I can't actually remember right now. This is really a necessity in a firewall, since once a firewall rule has allowed a UDP flow to pass in one direction, the response to that flow also has to be allowed through the firewall in the opposite direction. It is not necessary in this context to create separate rules for each direction where the traffic is part of the same UDP connection.
That may not be the clearest explanation - I hope it makes sense. --ChrisSW On 6 Jun 2011, at 20:41, Chuck Swiger wrote: > On Jun 6, 2011, at 10:39 AM, Ask Bjørn Hansen wrote: >> ip6tables on Linux doesn't seem to have state tracking and it appears I >> messed up the firewall rules a bit. I realized it last night actually as I >> was going to bed, but it was already crazy o'clock. I will get them fixed >> within an hour or so. > > You almost certainly don't want to be implementing stateful rules for NTP > traffic; you'll fill up the state table with lots of entries for no benefit, > as UDP isn't stateful. > > Just pass UDP 123 and ephemeral high ports in both directions. > > Regards, > -- > -Chuck > > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
