Tore and Kiss, It looks like this is resolved. For others that might benefit, this is what I am currently using and now the nf_conntrack_count is < 20.
iptables -t raw -I OUTPUT -p udp --dport 123 -j NOTRACK iptables -t raw -I OUTPUT -p udp --sport 123 -j NOTRACK iptables -t raw -I PREROUTING -p udp --dport 123 -j NOTRACK iptables -t raw -I PREROUTING -p udp --sport 123 -j NOTRACK iptables -I INPUT -p udp --dport 123 -j ACCEPT iptables -I INPUT -p udp --sport 123 -j ACCEPT iptables -I OUTPUT -p udp --dport 123 -j ACCEPT iptables -I OUTPUT -p udp --sport 123 -j ACCEPT Thanks for your advice. Have a good weekend! Best regards, Mike -----Original Message----- From: Tore Anderson [mailto:[email protected]] Sent: May 7, 2015 10:10 PM To: [email protected] Cc: [email protected] Subject: Re: [Pool] Firewall recommendations for ntp server? * <[email protected]> > 3. Disable connection tracking altogether (I think the best solution, > no?) This. At least do it just for your NTP traffic. Since NTP is UDP, there's in reality no "connections" to track, and netfilter can't remove an active flow immediately after it's over (since UDP, unlike TCP, gives no hint to third-party observers like netfilter that "this conversation is over"). So they all have to time out instead. Something like this ought to do the trick: ip{6,}tables -t raw -I PREROUTING -p udp --dport ntp -j NOTRACK ip{6,}tables -t raw -I OUTPUT -p udp --sport ntp -j NOTRACK Tore _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
