How do I allow NTP / Syslog out?

proberts

I have 1.2 BETA-1 installed and some of the things it does it seems to do at random which scares me a bit.  Like, I could have sworn these rules were working but checking the firewall logs it would seems sometimes they are just ignored.

I'd like to have my DMZ get to TCP 123 for NTP…

blocked -->Jun 8 08:27:50 DMZ  192.168.2.99:1203  12.7.210.170:123  TCP
blocked -->Jun 8 08:27:45 DMZ 192.168.2.99:1201 12.7.210.177:123 TCP

I have this rule for DMZ:

pass TCP 192.168.2.0/24  *  *  123 (NTP)  *

Also...

blocked -->Jun 8 08:46:01 DMZ  192.168.2.99:514  192.168.1.51:514  TCP
blocked -->Jun 8 08:46:01 DMZ 192.168.2.99:514 192.168.1.51:514 TCP

This rule should apply:

pass TCP 192.168.2.99  514 (Syslog)  192.168.1.51  514 (Syslog)  *

What am I missing?  It seems straight forward to me and there are no block rules...why does it appear to sometimes block things that I have specifically allowed for the interface?  I don't think it's blocking 100% of the time because the volume of firewall log entries seemed to go down after I put the rules in...but it could be.

Any ideas?    Thank you.

proberts

This is frustrating.  PFSense just seems to enforce some rules and not enforce others.  :-(  My problem is blocking when it should be allowing but it concerns me that the other way around might be happening as well…

I see rule 74/0 for the majority of outside events...so I'm thinking it's the default deny?  If so, why does PFSense just completely ignore the explicit allows for this NTP traffic??

Jun 10 04:08:20 pf: 4. 999850 rule 74/0(match): block in on xl1: 192.168.2.99.2474 > 69.25.106.19.123: NTPv1, Client, length 48
Jun 10 04:08:15 pf: 4. 999886 rule 74/0(match): block in on xl1: 192.168.2.99.2472 > 12.7.210.170.123: NTPv1, Client, length 48
Jun 10 04:08:10 pf: 48. 014197 rule 74/0(match): block in on xl1: 192.168.2.99.2470 > 12.7.210.177.123: NTPv1, Client, length 48

cmb

Because NTP and syslog are UDP, not TCP. The rule generation has been extensively audited, it does exactly what you tell it to.

proberts

Haha.  I knew that –seriously.  Thank you for pointing out that since I missed that completely.  :-)

I think when I picked NTP and Syslog from the dropdown I assumed it would adjust accordingly....

Don't ask why I didn't catch it staring right at the rules I pasted in.........    ::)

Doh!  ----Oh wait...now I see why I did that rule:    blocked -->Jun 8 08:27:50 DMZ    192.168.2.99:1203    12.7.210.170:123    TCP

The simple logging told me that 123 TCP was being blocked.  So, I unblocked TCP 123 without thinking about it....not sure why it claimed it as blocking TCP instead of UDP though.

cmb

I bet there's a bug in the log display code, at least if it's showing TCP on that blocked UDP. I'll check into it.

proberts

Yeah…just double checked.  Here is the same entry with RAW turned off and then on...shows TCP

Jun 10 06:17:38 DMZ 192.168.2.99:2535 12.7.210.170:123 TCP
Jun 10 06:17:33 DMZ 192.168.2.99:2533 12.7.210.177:123 TCP

Jun 10 06:17:38 pf: 4. 999729 rule 74/0(match): block in on xl1: 192.168.2.99.2535 > 12.7.210.170.123: NTPv1, Client, length 48
Jun 10 06:17:33 pf: 18. 324308 rule 74/0(match): block in on xl1: 192.168.2.99.2533 > 12.7.210.177.123: NTPv1, Client, length 48

Thanks.

cmb

thanks for double checking that.  ticket is open.
http://cvstrac.pfsense.org/tktview?tn=1348