ICMP(port 7?) and NTP (port 123)?
-
Is there any benefit or reason to allow my clients or networks to communicate on these ports? Should I allow rules for these?
I have strict rules on my interfaces and VLANs(see attached), however I see other networking folks allowing access to these ports…should I? If so where would these rules go in my order?
The biggest blocks on my firewall are with port 123 hitting Asia, seem to be with my Apple products (IOS and Apple TV)...
Everything appears to be working fine...looking for security and privacy(I seem to have the functionality).
Thanks for any insight or advice...
V
-
ICMP doesn't have a port.. Not sure why your apple devices would be hitting ntp in asia.. They normally do a query for say time-ios.apple.com
Are you in that part of the world? What ntp are they doing a query for exactly? They are not trying to go to a hard coded IP are they?
-
I have done some changes to my configuration but now they are hitting Chicago (I am in the US), however I was never using Asia with VPN. The IPs that I checked are:
Apple TV
17.253.24.125
17.253.24.253
17.253.2.125I have separate interfaces for my other Apple clients, but after doing a spot check of my other Apple devices, I am getting blocks to port 123 on:
iPhone
171.66.97.126(Stanford University?)
108.61.73.244 (choopadns/helium.constant.com
45.79.11.217 (hadb2.smartwebdesign.com / Linode.comIs there a reason to allow any of this traffic on port 123? If I need to give Apple devices this access how would I whitelist them? Destination 17.253.0.0/??
Thanks for clarification on ICMP, is the only value of ICMP for trouble shooting? or if my devices need to talk to each other?
Thank you again…
-
Its possible a device might use icmp outbound to see if its on the internet, but normally that is done with a dns query and then maybe hitting a page via http.
For troublshooting I would allow your vlan to always be able to ping your pfsense IP.. This is simple way you can verify your wifi is working or network is up that you can atleast get to the gateway.
Some of these odd ball devices do all kinds of crazy stuff to set time. Could be using pool.. I have some tp-link smart light bulbs that want to use the uk ntp pool.. Drives me freaking nuts ;) Since I am not in the UK, nor did I buy a UK version of the light bulb ;) I just setup a host override for that dns query to point to my local ntp server.
So you could do it that way via what dns they query for for ntp. If they are hard coded it can sometimes be an issue trying to redirect local since they think they are talking to X and get answer back from Y, etc.
I personally do not see an issue with ntp being let out.. Depends on how tight your tinfoil hat is. I personally would just allow allow udp 123 outbound to any.. But sure you could watch where they are trying to go and just open up those specific blocks.
What the devices should freaking do is take their ntp server from what you hand out in dhcp.. That is what a nicely designed device would do.. Sure it could have a default one setup - but if dhcp hands it a ntp server, it should use that one.
Your prob seeing all kinds of odd ball ntp IPs because its using pool.ntp.org.. If they are doing query for a pool ntp server then you can see what what fqdn they are using and just put in a host override to point them to the IP(s) you want them to use for ntp. When you use the pool those IPs are going to change all the time!!! So it would be wack a mole trying to allow them, etc. And sure they could be all over the globe.. But what your suppose to do is set the ntp pool fqdn to query just ntp in your region, ie us.pool.ntp.org or de.pool.ntp.org if you were in Germany, etc.. Or you could use say europe.pool.ntp.org if you were in the EU and didn't care where exactly in the EU you got time from.
You can find all the different regional fqdn right on the ntp pool page http://www.pool.ntp.org/en/ top right, click into the region your en, then you can zoom into specific country, etc.