Re: [Pfilter-users] A couple of questions
Brought to you by:
ngorsuch
Menu
▾
▴
Re: [Pfilter-users] A couple of questions
|
From: Neil G. <nj...@pd...> - 2001-10-20 00:23:02
|
At 09:39 AM 10/17/2001 -0400, nb...@fr... wrote: >Questino #1: >Do I need both udp and tcp entries for these protos? Right now I >have: >OPEN tcp >ssh,telnet,smtp,ftp,auth,http,https,domain,ntp,amanda,amandaidx,amidxtape >OPEN udp ssh,telnet,smtp,ftp,ntp,auth,http,https,domain,amanda Technically, almost every one of those is supposed to respond to both tcp and udp. But in reality, the following probably only need tcp: ssh, ftp, http, https, ntp. What you put in the OPEN is only for the first packet, all subsequent packets in a conversation/connection come through because pfilter enables connection tracking and puts in a rule to allow "related" packets through. I believe domain is udp only. Just take off whatever looks ok and if it breaks it, re-enable it. >Question #2: >I am using NTP multicast 224.0.1.1. How do I open that? I put a special hook into the current version just for that. If you put an allowable source address of 0.0.0.0 for anything that is to be opened up, such as ntp, it puts in a special rule that lets all multicast packets coming from 0.0.0.0 to come in even though they are not addresses to the specific host address. So if you are expecting ntp time sync packets, try putting in: OPEN tcp ntp 0.0.0.0 In the new version of pfilter I'll put in a global or interface wide multicast allowed flag that equates multicast packets to be the same as packets coming in from an unknown address, plus a special source address of "multicast". |
