Hi,
Thanks for the rules, but I'm still getting errors. Does the
following info help determine what's going wrong?
I've tried the NTP rules as you've sent in the e-mail and in the
general format I've used for the rest of the rules in my rc.firewall
file.
I have default rules that deny a connection unless it is explicitly
allowed. Is that going to affect the rules I need to connect to a ntp
timeserver like tick.usno.navy.mil?
[root@gate rc.d]# /usr/local/bin/ntpdate -v
11 Jan 01:12:50 ntpdate[29444]: ntpdate 4.0.98b Fri Oct 22 01:42:33
PDT 1999 (1)
11 Jan 01:12:50 ntpdate[29444]: no servers can be used, exiting
[root@gate /etc]# /usr/local/bin/ntpdate ntp.ucsd.edu
11 Jan 01:10:21 ntpdate[29440]: sendto(132.239.254.5): Operation not permitted
11 Jan 01:10:22 ntpdate[29440]: sendto(132.239.254.5): Operation not permitted
11 Jan 01:10:23 ntpdate[29440]: sendto(132.239.254.5): Operation not permitted
11 Jan 01:10:24 ntpdate[29440]: sendto(132.239.254.5): Operation not permitted
11 Jan 01:10:25 ntpdate[29440]: no server suitable for synchronization found
NTPDATE part of rc.firewall:
# NTP (123)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 123 -j ACCEPT
Contents of /etc/ntp.conf:
server ntp.ucsd.edu
server ntp1.mainecoon.com
server ns.scruz.net
server tick.usno.navy.mil
server tock.usno.navy.mil
driftfile /etc/ntp.drift
>On Mon, 10 Jan 2000, Edward Moon wrote:
>
> > Does anyone have a working set of IPCHAINS rules to allow ntpdate
> > client requests through an IPCHAINS firewall?
>
>$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 123 -j ACCEPT
>$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 123 -j ACCEPT
>
> > I'm having difficulty setting up the rules for this protocol. No
> > matter what I try I get 'operation not permitted' messages in the log
> > file.
>
>Make sure you don't have a restrict command in your /etc/ntp.conf that is
>preventing this. The mask could be wrong, or you could have set the flags
>"noserve" or "ignore" which would of course prevent time service.
>
>--
>Todd A. Jacobs
>Network Systems Engineer
>
>
>--
>To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
>as the Subject.
>
>On Mon, 10 Jan 2000, Edward Moon wrote:
>
> > Does anyone have a working set of IPCHAINS rules to allow ntpdate
> > client requests through an IPCHAINS firewall?
>
>$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 123 -j ACCEPT
>$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 123 -j ACCEPT
>
> > I'm having difficulty setting up the rules for this protocol. No
> > matter what I try I get 'operation not permitted' messages in the log
> > file.
>
>Make sure you don't have a restrict command in your /etc/ntp.conf that is
>preventing this. The mask could be wrong, or you could have set the flags
>"noserve" or "ignore" which would of course prevent time service.
>
>--
>Todd A. Jacobs
>Network Systems Engineer
>
>
>--
>To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
>as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
