Not much. Every distro seems to have its' tool. Most in Linux space
seem to use iptables although nftables is IMO better.
On Fri, Dec 27, 2019, at 12:31 AM Hal Murray via devel <devel@ntpsec.org> wrote:
> I recently setup a new system (Fedora) to replace a box that had died and
> thought it was working OK. Then I noticed that another box was having
> troubles connecting. Eventually, I figured out that the firewall was blocking
> the NTS-KE connection attempts. (Normally I run without firewalls so I'm not
> conditioned to thinking about them.)
>
> Should the quick NTS setup mention this?
Probably, and the debugging page we have might twice, in the checklist,
and a section or subsection under access control.
> Should we document how to fix this? How much do firewall configs vary between
> OS-es and distros?
Probably not in much detail, but with links to various solutions.
There is quite a bit of variation. I used to use the following.
----
#!/sbin/nft -f
flush ruleset;
table inet filter {
chain header1 {
ct state { invalid } drop;
ct state { established, related } accept;
}
chain header2 {
iif lo accept;
udp dport { 68, 123, 1900, 5353, 6988 } accept;
tcp dport { 22, 80, 123, 6881, 6988, 8880, 31416 } accept;
}
chain output {
type filter hook output priority 0;
jump header1;
ct state { new } accept;
drop;
}
chain forward {
log drop;
}
chain input {
type filter hook input priority 0;
jump header1;
ip saddr 192.168.42.0/24 accept;
jump header2;
icmp type { destination-unreachable, source-quench,
echo-request, echo-reply, time-exceeded, parameter-problem } accept;
icmpv6 type { destination-unreachable, echo-request,
echo-reply, time-exceeded } accept;
drop;
}
}
----
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
