Hi! Do you have other machines in your network that are checking NTP from other sources. Maybe NT or *nix box users connected to network who try to use tardis etc. sync soft trough the firewall. The doorknob twist occurs when a machine gets trough the firewall (i.e. firewall rules allow the connection), but specified port isn't responding. If you want to forward the syncing pulse, you should allow the wuarchive.wustl.edu to connect to firewall and then make a tunnel from external interface's UDP port 123 to UDP port 123 of the NTP server, at best so that NTP server is in DMZ, not in protected network. I'd check configurations in those NTP servers just in case and in addition, if there's users inside who like to sync their workstation clocks, tell them to use the internal NTP server.
Byt the way, for security reasons, NEVER post your IP's anywhere. Every NG like this might have lurkers in who are checking for holes (firewall type, services etc.) and posting your IP gives them a starting point. So if need arises use for example this format for your IP's: > Jan 28 05:59:44 psn FILTER: Connect to closed port : UDP fxp0 > [128.252.135.4/123]->[xxx.xxx.xxx.xxx/12752] l=0. Best regards, Reko Turja ----- Original Message ----- From: "Lowell Tyler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, January 29, 2000 3:31 AM Subject: NTP and Doorknob Twists... > Send postings to: [EMAIL PROTECTED] > Access the list archives at: > http://www.gnatbox.com/gb-users/ > ---------------------------------- > Hi, > > We are currently running NTP 4.0.xx for time syncronization on our servers. > Our mail server is acting as our local NTP server and is getting time from > three NTP servers. > > We keep getting the following messages in our log: > > Jan 28 05:59:44 psn FILTER: Connect to closed port : UDP fxp0 > [128.252.135.4/123]->[128.171.128.7/12752] l=0. > > Jan 28 06:03:39 psn FILTER: Connect to closed port : UDP fxp0 > [128.252.135.4/123]->[128.171.128.8/14218] l=0. > > 128.171.128.7 is the EXT interface for our firewall, and 128.171.128.8 is > our mail server. > > The Gnatbox alarm (e-mail) sends messages like the following message: > > -------------------------------------------------------------------------- -- > - > > ALARM NO: 2 > DATE: Thursday, Jan 27, 2000 > TIME: 21:06:04 > INTERFACE: EXT (fxp0) > ALARM TYPE: Doorknob twist > IP PACKET: UDP [128.252.135.4/123]-->[128.171.128.8/16088] l=0 > [wuarchive.wustl.edu/123]-->[128.171.128.8/16088] > > DETAILED DESCRIPTION: > Attempt to connect to unopen port. > > -------------------------------------------------------------------------- -- > - > > Does anyone know what is happening? I have removed the NTP server > (wuarchive.wustl.edu) from our ntp.conf file, but we're still getting these > connection attempts (about 1 a minute). Sometimes, we get 3-4 in a 15 > second span. > > How do I stop this? Temporarily, I am rejecting 128.252.135.4 UDP 123 with > no logging. > > Lastly, what are doorknob twists, and how do they occur? > > Much thanks, > Lowell Tyler > [EMAIL PROTECTED] > > ---------------------------------------------- > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe gb-users your_email_address > in the body of the message
