RE: Filtering NTP using ACL

From: Church, Chuck (cchurch@xxxxxxxx)
Date: Thu Oct 25 2001 - 09:27:50 GMT-3

• Next message: Darek Kuzma: "Telnet port on Cisco router"
• Previous message: Brian Hescock: "Re: OT: Multiple interafce NAT"
• Maybe in reply to: Albert Lu: "Filtering NTP using ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Albert,

     I think an easier way would be matching the address and port for both
source and destination on the same line:

Extended IP access list 189
    permit udp host 1.1.2.3 eq ntp host 5.6.7.8 eq ntp

Then you only need to apply 1 ACL.

Chuck

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Albert Lu
Sent: Wednesday, October 24, 2001 9:40 PM
To: ccielab@groupstudy.com
Subject: Filtering NTP using ACL

Hello Group,

Could someone one give me an example of the proper way of filtering NTP
using access lists. I know it's just a matter of looking at the port number
of the UDP packet, however there's a situation where the source and
destination port of the NTP UDP packet are the same (123). Here's section
from the NTP RFC

The mode assumed by a peer can be determined by inspection of the UDP Source
Port and Destination Port fields (see Appendix A). If both of these fields
contain the NTP service-port number 123, the peer is operating in symmetric
mode. If they are different and the Destination Port field contains 123,
this is a client request and the receiver is expected to reply in the manner
described above. If they are different and the Source Port field contains
123, this is a server reply to a previously sent client request.
Here's a sample of my configuration that seems to allow NTP to synch up.

Note: 172.17.16.2 is the server

int s0
ip address 172.17.16.1 255.255.255.252
ip access-group 101 in

int s1
ip address 172.17.16.17 255.255.255.252
ip access-group 103 in

access-list 101 permit udp host 172.17.16.2 eq ntp host 172.17.16.18

access-list 103 permit udp host 172.17.16.18 host 172.17.16.2 eq ntp

My assumptions are that it lets the NTP packets through when it's working in
symmetric mode when (both src and dst are port 123), so it will let the
packet through because it matches one of the port as ntp, and that these two
access lists will only allow 172.17.16.2 to be the server and 172.17.16.18
to be the client.

Access list 103 will let the ntp client (172.17.16.2) to request the server
(172.17.16.18) since it's destination port is ntp

Access list 101 will let the ntp server reply to the client, since it's
source port is ntp.

Hope I haven't confused anyone.

Thanks

Albert

• Next message: Darek Kuzma: "Telnet port on Cisco router"
• Previous message: Brian Hescock: "Re: OT: Multiple interafce NAT"
• Maybe in reply to: Albert Lu: "Filtering NTP using ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:24 GMT-3