rasmus wrote: >> The _first_ rule in your INPUT chain needs to explicitly allow all >> traffic to 123/UDP. Something like this: > > Sorry, I was unclear. The rule I referred to was one that allowed udp/ > 123 traffic. So I have a rule exactly matching what you wrote at the > head of my INPUT chain. I can see traffic reach my nptd and I can log > packets with sport 123 in my OUTPUT filter.
You misunderstand. The rule only accepts packets that are related to an ongoing connection. You need to accept ALL packets destined to UDP port 123 (while retaining the stateful firewalling on all other traffic). So please do take Steve's advice and insert a -j ACCEPT rule matching only UDP port 123 traffic at the start of your INPUT chain. Cheers, Jan _______________________________________________ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions