next »

[tomasz.night]

Hello
I have a strange problem when trying to pass NTP traffic.

My rule:
Interface: LAN
Protocol: TCP/UDP
Source: Type: LAN subnet
Destination: Type: Any
Destination port range: 123 - 123

Pfsense machine is the only host with access to NTP, but by target is passing NTP traffic to all computers in my network.
In logs I see the following information about blocked connection:
The rule that triggered this action is:

@1 scrub in on em0 all fragment reassemble
@1 block drop in log all label "Default deny rule"


Please help

[johnpoz]

Have you removed the default lan allow rule that should allow all traffic out of your lan by default?

You should not need a special rule to allow clients on your lan to query ntp from your pfsense box.

Is NTP running on your pfsense?  What version of pfsense are you running, I know they have made changes in 2.1 that changed to actual ntp vs openntp.

BTW, ntp does not use TCP - its a udp protocol.

[tomasz.night]

Have you removed the default lan allow rule that should allow all traffic out of your lan by default?

I disabled it.

You should not need a special rule to allow clients on your lan to query ntp from your pfsense box.

I think in the same way, but in the firewall log there is an information about blocking the conenction:

Jun 21 22:41:23    LAN    WindowsHost:123      pfSenseBox:123      UDP

and:

Jun 21 22:47:33    LAN    LinuxHost:37064    pfSenseBox:123      UDP

Here is the output from one of the client trying to sync time from pfsense:

ntpdate -d (any_address)
21 Jun 22:39:38 ntpdate[18233]: ntpdate 4.2.2p1@1.1570-o Fri Nov 18 13:21:21 UTC 2011 (1)
Looking for host (any_address) and service ntp
host found : (any_address)
transmit(any_address)
transmit(any_address)
transmit(any_address)
transmit(any_address)
transmit(any_address)
(any_address): Server dropped: no data
server (any_address), port 123
stratum 0, precision 0, leap 00, trust 000
refid [(any_address)], delay 0.00000, dispersion 64.00000
transmitted 4, in filter 4
reference time:    00000000.00000000  Thu, Feb  7 2036  7:28:16.000
originate timestamp: 00000000.00000000  Thu, Feb  7 2036  7:28:16.000
transmit timestamp:  d38e050d.43d199bb  Thu, Jun 21 2012 22:39:41.264
filter delay:  0.00000  0.00000  0.00000  0.00000
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
         0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
offset 0.000000

all outgoing connections from this machine are allowed. Windows client can't sync too.
It doesn't matter if I try to sync with pfSense or some other external host.

Is NTP running on your pfsense?  What version of pfsense are you running, I know they have made changes in 2.1 that changed to actual ntp vs openntp.

Yes, it's running on pfSense too. My version is: 2.0.1-RELEASE (amd64), built on Mon Dec 12 18:43:51 EST 2011, FreeBSD 8.1-RELEASE-p6


Please help

[johnpoz]

And why did you disable the default lan rule?

What are your lan rules?  You say your source is lan source, but maybe that is not working if being blocked.  Please post a screen shots of your lan rules.  From your first post your getting blocked by the default deny rule, so that means whatever rules you wrote are not being met for allow.

do you have multiple lan segments?  If not just have source be ANY.  Why does that that block show your windows machine coming from source of 123?  That is not how ntp works.

example - this is a query to my pfsense box from my windows box.  Also why are you hiding your IPs?  There is no reason to hide a private address.  Is your lan interfaces in the public space?

C:\Windows\system32>ntpdate -d 192.168.1.253
21 Jun 21:56:41 ntpdate[1984]: ntpdate 4.2.6p5-o Dec 24 23:49:25.23 (UTC-00:00) 2011  (1)
21 Jun 21:56:41 ntpdate[1984]: Raised to realtime priority class
transmit(192.168.1.253)
receive(192.168.1.253)
transmit(192.168.1.253)
receive(192.168.1.253)
transmit(192.168.1.253)
receive(192.168.1.253)
transmit(192.168.1.253)
receive(192.168.1.253)
server 192.168.1.253, port 123
stratum 3, precision -19, leap 00, trust 000
refid [192.168.1.253], delay 0.02547, dispersion 0.00018
transmitted 4, in filter 4
reference time:    d38e5710.73f8107a  Thu, Jun 21 2012 21:29:36.453
originate timestamp: d38e5d6f.ddc35896  Thu, Jun 21 2012 21:56:47.866
transmit timestamp:  d38e5d6f.b8d4fdf3  Thu, Jun 21 2012 21:56:47.722
filter delay:  0.02647  0.02647  0.02547  0.02547
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.143691 0.143660 0.144132 0.144191
         0.000000 0.000000 0.000000 0.000000
delay 0.02547, dispersion 0.00018
offset 0.144132

So here is wireshark capture of the above query, notice the source port from the client -- its NOT 123.. query would be from a random port above 1024, so something is wrong there if query is coming from source port 123 as well.

Only time 123 would be source is for the server responding to the client to whatever its random port was.  In my case that 61978

[tomasz.night]

Solution was more simple than I expected.
A week ago I was testing squid with lightsquid in pfSense.
I removed squid without removing lightsquid, and that was the reason of my problems - the firewall was still using old rule set (reload fails).

Case closed
Thank you very much for your attention.