Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I allow NTP / Syslog out?

    Firewalling
    2
    7
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      proberts
      last edited by

      I have 1.2 BETA-1 installed and some of the things it does it seems to do at random which scares me a bit.  Like, I could have sworn these rules were working but checking the firewall logs it would seems sometimes they are just ignored.

      I'd like to have my DMZ get to TCP 123 for NTP…

      blocked -->Jun 8 08:27:50 DMZ  192.168.2.99:1203  12.7.210.170:123  TCP
      blocked -->Jun 8 08:27:45 DMZ 192.168.2.99:1201 12.7.210.177:123 TCP

      I have this rule for DMZ:

      pass TCP 192.168.2.0/24  *  *  123 (NTP)  *

      Also...

      blocked -->Jun 8 08:46:01 DMZ  192.168.2.99:514  192.168.1.51:514  TCP
      blocked -->Jun 8 08:46:01 DMZ 192.168.2.99:514 192.168.1.51:514 TCP

      This rule should apply:

      pass TCP 192.168.2.99  514 (Syslog)  192.168.1.51  514 (Syslog)  *

      What am I missing?  It seems straight forward to me and there are no block rules...why does it appear to sometimes block things that I have specifically allowed for the interface?  I don't think it's blocking 100% of the time because the volume of firewall log entries seemed to go down after I put the rules in...but it could be.

      Any ideas?    Thank you.

      1 Reply Last reply Reply Quote 0
      • P
        proberts
        last edited by

        This is frustrating.  PFSense just seems to enforce some rules and not enforce others.  :-(  My problem is blocking when it should be allowing but it concerns me that the other way around might be happening as well…

        I see rule 74/0 for the majority of outside events...so I'm thinking it's the default deny?  If so, why does PFSense just completely ignore the explicit allows for this NTP traffic??

        Jun 10 04:08:20 pf: 4. 999850 rule 74/0(match): block in on xl1: 192.168.2.99.2474 > 69.25.106.19.123: NTPv1, Client, length 48
        Jun 10 04:08:15 pf: 4. 999886 rule 74/0(match): block in on xl1: 192.168.2.99.2472 > 12.7.210.170.123: NTPv1, Client, length 48
        Jun 10 04:08:10 pf: 48. 014197 rule 74/0(match): block in on xl1: 192.168.2.99.2470 > 12.7.210.177.123: NTPv1, Client, length 48

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Because NTP and syslog are UDP, not TCP. The rule generation has been extensively audited, it does exactly what you tell it to.

          1 Reply Last reply Reply Quote 0
          • P
            proberts
            last edited by

            Haha.  I knew that –seriously.  Thank you for pointing out that since I missed that completely.  :-)

            I think when I picked NTP and Syslog from the dropdown I assumed it would adjust accordingly....

            Don't ask why I didn't catch it staring right at the rules I pasted in.........    ::)

            Doh!  ----Oh wait...now I see why I did that rule:    blocked -->Jun 8 08:27:50 DMZ    192.168.2.99:1203    12.7.210.170:123    TCP

            The simple logging told me that 123 TCP was being blocked.  So, I unblocked TCP 123 without thinking about it....not sure why it claimed it as blocking TCP instead of UDP though.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              I bet there's a bug in the log display code, at least if it's showing TCP on that blocked UDP. I'll check into it.

              1 Reply Last reply Reply Quote 0
              • P
                proberts
                last edited by

                Yeah…just double checked.  Here is the same entry with RAW turned off and then on...shows TCP

                Jun 10 06:17:38 DMZ 192.168.2.99:2535 12.7.210.170:123 TCP
                Jun 10 06:17:33 DMZ 192.168.2.99:2533 12.7.210.177:123 TCP

                Jun 10 06:17:38 pf: 4. 999729 rule 74/0(match): block in on xl1: 192.168.2.99.2535 > 12.7.210.170.123: NTPv1, Client, length 48
                Jun 10 06:17:33 pf: 18. 324308 rule 74/0(match): block in on xl1: 192.168.2.99.2533 > 12.7.210.177.123: NTPv1, Client, length 48

                Thanks.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  thanks for double checking that.  ticket is open.
                  http://cvstrac.pfsense.org/tktview?tn=1348

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.