Anybody know anything about firewalls?

James Browning jamesb.fe80 at gmail.com
Fri Dec 27 16:00:00 UTC 2019


Not much. Every distro seems to have its' tool. Most in Linux space
seem to use iptables although nftables is IMO better.

On Fri, Dec 27, 2019, at 12:31 AM Hal Murray via devel <devel at ntpsec.org> wrote:
> I recently setup a new system (Fedora) to replace a box that had died and
> thought it was working OK.  Then I noticed that another box was having
> troubles connecting.  Eventually, I figured out that the firewall was blocking
> the NTS-KE connection attempts.  (Normally I run without firewalls so I'm not
> conditioned to thinking about them.)
>
> Should the quick NTS setup mention this?

Probably, and the debugging page we have might twice, in the checklist,
and a section or subsection under access control.

> Should we document how to fix this?  How much do firewall configs vary between
> OS-es and distros?

Probably not in much detail, but with links to various solutions.
There is quite a bit of variation. I used to use the following.

----
#!/sbin/nft -f
flush ruleset;
table inet filter {
       chain header1 {
               ct state { invalid } drop;
               ct state { established, related } accept;
       }
       chain header2 {
               iif lo accept;
               udp dport { 68, 123, 1900, 5353, 6988 } accept;
               tcp dport { 22, 80, 123, 6881, 6988, 8880, 31416 } accept;
       }
       chain output {
               type filter hook output priority 0;
               jump header1;
               ct state { new } accept;
               drop;
       }
       chain forward {
               log drop;
       }
       chain input {
               type filter hook input priority 0;
               jump header1;
               ip saddr 192.168.42.0/24 accept;
               jump header2;
               icmp type { destination-unreachable, source-quench,
echo-request, echo-reply, time-exceeded, parameter-problem } accept;
               icmpv6 type { destination-unreachable, echo-request,
echo-reply, time-exceeded } accept;
               drop;
       }
}
----


More information about the devel mailing list