NTP && IP Filter / NAT

Matthias Apitz Wed, 05 Sep 2007 02:27:55 -0700

Hello,

I realized that sometimes on my servers behind IP Filter / NAT
(IP Filter: v4.1.8 (416)) the (cron launched) commands to sync
the time with NTP, like


# /usr/sbin/ntpdate -b 192.53.103.103

do not work on some servers; I have a rule in ipf.rules like:

pass out log first quick on em1 proto udp from 193.31.10.0/24 to any port = 123 
keep state

and we're doing NAT behind the official IP addr with the rule

map em1 193.31.10.32/24 -> xxx.xxx.xxx.xxx/32

As I said it works sometimes and sometimes not. Today I've looked
deeper into it when it again did not work on some server and
realized that flushing the NAT tables makes it work, i.e. the problem
has to do that the NAT entry:

# ipnat -l | fgrep ' 123 '
MAP 193.31.10.34    123   <- -> xxx.xxx.xxx.xxx 123   [192.53.103.103 123]

stays for a long of time (for minutes) which makes the UDP port 123
not usable for any other internal addr, like 193.31.10.35;

I watched the connection with

# ipfstat -t -S 0.0.0.0,123

and the ttl is 12 secs, after this the connection goes away in ipfstat,
but the NAT entry remains for long time;

What can I do?

Btw: The man page of 'ipfstat' says for '0.0.0.0' it should be 'any':

# ipfstat -t -S any,123
Invalid IP address: any
#

# man ipfstat
       ...
       -S <addrport>
              This option is only valid in  combination  with  -t.  Limit  the
              state  top  display  to  show only state entries whose source IP
              address and port match the addrport argument. The addrport spec-
              ification  is  of  the form ipaddress[,port].  The ipaddress and
              port should be either numerical or the string "any"  (specifying
              any  IP  address resp. any port). If the -S option is not speci-
              fied, it defaults to "-S any,any".

Which is perhaps just outdated.

Thanks

        matthias
-- 
Matthias Apitz
Manager Technical Support - OCLC PICA GmbH
Gruenwalder Weg 28g - 82041 Oberhaching - Germany
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <[EMAIL PROTECTED]> - w http://www.oclcpica.org/ http://www.UnixArea.de/
b http://gurucubano.blogspot.com/
OCLC PICA GmbH, Geschaeftsfuehrer: Christine Magin-Weeger, Norbert Weinberger
Sitz der Gesellschaft: Oberhaching, HRB Muenchen: 113261

NTP && IP Filter / NAT

Reply via email to