# IPFW and NTP



## danaeckel (Mar 11, 2012)

Greetings,

I have been working on my home server and all is going well. I compiled my kernel with IPFW, and set up the config to use "SIMPLE" rules rather than define my own. Main reason is lack of knowledge on what should be open, and what should be closed. I thought a SIMPLE would be enough until I got NTP up and running. If I close my firewall my clients will get the time just fine, if I raise up the firewall, they are denied. Can I make a simple change in rc.firewall to fix this?

Thanks!
Dana


----------



## Ajira (Mar 11, 2012)

The simplest way would be to allow UDP port 123 through; both incoming and outgoing.


```
ipfw add pass udp from any to any 123
```


----------



## danaeckel (Mar 11, 2012)

I tried it, and it didn't work for me. Here is the code that is already in place 

```
# Allow NTP queries out in the world
	${fwcmd} add pass udp from me to any 123 keep-state
```

The server will pull in time from the inernet during boot. If I comment out this line it won't get the time during boot. As of right now, my Windows laptop can't even pull in time from Windows time site.


----------



## Anonymous (Mar 11, 2012)

danaeckel said:
			
		

> I tried it ...
> 
> 
> 
> ...



Did you really try, what Ajira suggested? Namely 
	
	



```
... from any to any ...
```

me is a synonym for all the interfaces of your server only, that means that the network interfaces of your clients are not covered by this rule.


----------



## danaeckel (Mar 11, 2012)

Yeah I did, I tried it by itself, then the server wouldn't get the time, I tried it with the other line I submitted, clients wouldn't get the time, I also changes the line above from "me to any" to "any to any"

Dana


----------



## danaeckel (Mar 12, 2012)

Something new just popped up, now when my client went to renew DHCP my server cut off access. Once again re-activated after I deactivated the firewall. Is there a place I can get a new rc.firewall file? I think I may have tweaked it too much.


----------



## DutchDaemon (Mar 12, 2012)

Quick and easy:

http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall

Pick the right branch (i.e. the version you're using) from that page, and 'Download'.


----------



## danaeckel (Mar 12, 2012)

Thank You,
   I downloaded the file, but didn't fix anything. The SIMPLE firewall setting blocks DHCP as well as NTP. Is this normal? Am I going to have to define firewall rules?


----------



## cutter (Mar 14, 2012)

In my firewall the directive is:


```
ipfw add allow udp from any to any 123 via any
```

and it works perfectly. Try it. Also, if you have ntpd running, kill it for testing purposes and issue at the command prompt:

[cmd=]ntpdate pool.ntp.org[/cmd]

to check the result.


----------



## graudeejs (Mar 14, 2012)

```
ipfw add allow udp from me to any ntp out via $NET_IF uid root keep-state
```

Don't know why but I have keep-state for ntp rule. I know udp is stateless, however think I had problem with ntp without keep-state.

Perhaps my memory is joking on me, or it's a bug in ipfw


----------



## kpa (Mar 14, 2012)

UDP is stateless in its nature but a firewall can handle an UDP connection in a stateful way, the first packet seen creates a state and also determines the direction of the connection.


----------



## DutchDaemon (Mar 15, 2012)

UDP "state" is derived from the combination of source IPort, and destination IPort. That's why you need to keep state on UDP rules.


----------



## danaeckel (Mar 15, 2012)

The original line needs to be deleted right? Any hints or tips about the DHCP issue? Also a side question, why wouldn't it work with the SIMPLE firewall? Is it just that secure, or a bug? If it is secure, I am quite impressed with how secure it is.


----------

