On Mon, Nov 17, 2003 at 05:44:49PM +0000, Voytek wrote:
> my ipchains has:
>
> -A input -s 0/0 -d 0/0 ntp -p tcp -y -j ACCEPT
^^^
*Sigh*. You've been told this several times already, by me and
others. This should be *udp*:
http://lists.slug.org.au/archives/slug/2003/11/msg00335.html
http://lists.slug.org.au/archives/slug/2003/11/msg00354.html
http://lists.slug.org.au/archives/slug/2003/11/msg00350.html
This is what my ntpd is doing:
[EMAIL PROTECTED] ~]$ netstat -a|grep -w ntp
udp 0 0 ppp125-148.lns1.syd:ntp *:*
udp 0 0 dropbear.kirriwa.ne:ntp *:*
udp 0 0 dropbear.kirriwa.ne:ntp *:*
udp 0 0 *:ntp *:*
Note that it's using udp port 123, not tcp.
For ntpd, I'd limit incoming packets to the ip address(es) of your time
server(s) and source and destination ports 123. For ntpdate, you'll
need to allow source port 123 and destination ports 1024:65535, but
still limit it to the address(es) of your time server(s).
Make sure you're also allowing the relevant outgoing packets. These are
anything to your time server's ip address(es) with destination port 123,
and source port either 123 (for ntpd) or 1024:65535 (for ntpdate).
> -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
[snip]
> am I blocking it myself ? ?
Yes.
Cheers,
John
--
whois [EMAIL PROTECTED]
GPG key id: 0xD59C360F
http://kirriwa.net/john/
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
