Re: [ntp:questions] Firewall requirements for NTP as both client and server
On 28/12/2014 22:16, Paul wrote: These are some commands that might stop your instance. Or set your house on fire. /etc/rc.d/ipfw stop ipfw disable firewall ipfw -f flush Your traces certainly look like the firewall is blocking the traffic. Thanks for that Paul, but it made no difference. I think the fault lies elsewhere. House still intact! -- Cheers, David Web: http://www.satsignal.eu ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Firewall requirements for NTP as both client and server
On 29/12/2014 03:29, Phil W Lee wrote: [] What worked for me was (rule numbers are irrelevant, although the order of the rules is important - you need to make sure that ntp traffic doesn't get caught and dumped by an earlier rule, but also that any rule which passes ntp traffic through NAT comes after any "check-state" rule allowing NAT to work on udp traffic if you use it): n allow udp from any to any dst-port 123 if you are using the firewall as an ntp server as well: n allow udp from any to me dst port 123 n allow udp from me to any dst-port 123 And (if you are using NAT on the firewall) n allow ip from $insidesubnet to any dst-port 123 keep-state Testing showed that "any" did not appear to include "me" [] I hope your firewall is running a fairly minimal installation of FreeBSD, for security reasons. This can make it a PITA to keep software versions up-to-date, but it's the price you pay for security. HTH, Phil Thanks for that, Phil. I tried your suggestions, and even Paul's of how to disable the firewall, but none of then made any difference. Looking at the NTPns through its Telnet interface although it shows one source as "SELECTED", it's some 24 seconds out, so I don't think the NTPns server is working as I expected with just network sources There are three sources listed here Source 192.168.0.1: votes 1.00 flags los 1/192 update 64 SELECTED limit 1.28e-01 No leapsecond at end of today stratum 1 refid [192.168.0.1] delay 0.0 dispersion 0.001205444 last_ts 1419839553.481725031last_delta -24.054684001 Source 192.168.0.3: votes 1.00 flags los 1/192 update 64 limit 1.28e-01 No leapsecond at end of today stratum 1 refid [192.168.0.3] delay 0.0 dispersion 0.001037598 last_ts 1419839553.501792659last_delta -24.054779510 Source 192.168.0.8: votes 1.00 flags los 1/192 update 64 limit 1.28e-01 No leapsecond at end of today stratum 1 refid [192.168.0.8] delay 0.0 dispersion 0.001144409 last_ts 1419839553.517881545last_delta -24.055015980 -- Cheers, David Web: http://www.satsignal.eu ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Firewall requirements for NTP as both client and server
> Le 28 déc. 2014 à 19:14, David Taylor > a écrit : > > 17:46:20.823583 IP 192.168.0.1.ntp > net4501.ntp: NTPv4, Client, length 48 > 17:46:52.838966 IP 192.168.0.1.ntp > net4501.ntp: NTPv4, Client, length 48 > > They are 32 seconds approximately apart which is what I would expect. SO does > that mean that the firewall has blocked them, or that the NTPns server never > responded? There is no firewall block on 192.168.0.1 making requests and > getting responses from servers on or off the LAN. > This looks like your firewall, >> add 200 allow udp from any 123 to any Is saying allow port 123 SOURCE packets in from any source, BUT client packets don’t come from port 123, but from an unprivileged port: here is a log from my internet facing server, also a 4801: Dec 28 18:23:58 muon kernel: ipfw: 540 Accept UDP 192.3.96.154:32894 192.168.1.4:123 in via sis0 so your rules are not allowing the outside requests to get to NTPns. If you add logging you will see them Denied . fixing this is an exercise for the reader. > I'll investigate NTPns further > > -- > Cheers, > David > Web: http://www.satsignal.eu > > ___ > questions mailing list > questions@lists.ntp.org > http://lists.ntp.org/listinfo/questions ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Firewall requirements for NTP as both client and server
These are some commands that might stop your instance. Or set your house on fire. /etc/rc.d/ipfw stop ipfw disable firewall ipfw -f flush Your traces certainly look like the firewall is blocking the traffic. On Sun, Dec 28, 2014 at 2:37 PM, David Taylor wrote: > Very good question, but I couldn't find a way to disable ipfw! I did say I am a complete novice at this ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Firewall requirements for NTP as both client and server
In article , David Taylor wrote: >On 28/12/2014 17:38, Paul wrote: >> On Sun, Dec 28, 2014 at 11:11 AM, David Taylor < >> david-tay...@blueyonder.co.uk.invalid> wrote: >> >>> I wonder whether this might be a firewall issue >> >> >> >> The first question is always: does it work with the firewall off? > >Very good question, but I couldn't find a way to disable ipfw! I did >say I am a complete novice at this If it was loaded as a module, "kldunload ipfw" should do it. (Hmmm, if and only if it's actually unloadable, which I'm not sure about.) Otherwise, add a new rule at the very beginning that allows everything. (Unless you've rebuilt the kernel, ipfw is "default closed" so you have to have at least one rule to pass any traffic at all.) -GAWollman -- Garrett A. Wollman| What intellectual phenomenon can be older, or more oft woll...@bimajority.org| repeated, than the story of a large research program Opinions not shared by| that impaled itself upon a false central assumption my employers. | accepted by all practitioners? - S.J. Gould, 1993 ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Firewall requirements for NTP as both client and server
On 28/12/2014 17:38, Paul wrote: On Sun, Dec 28, 2014 at 11:11 AM, David Taylor < david-tay...@blueyonder.co.uk.invalid> wrote: I wonder whether this might be a firewall issue The first question is always: does it work with the firewall off? Very good question, but I couldn't find a way to disable ipfw! I did say I am a complete novice at this -- Cheers, David Web: http://www.satsignal.eu ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Firewall requirements for NTP as both client and server
On 28/12/2014 17:07, Mike Cook wrote: Le 28 déc. 2014 à 17:11, David Taylor a écrit : I'm trying to understand the firewall requirements for NTP. Using the FreeBSD ipfw I have the following, which appears to allow NTPns to operate as a client, i.e. it can get times from other servers on my LAN, and even from the WAN. add 100 allow udp from any to any 123 add 200 allow udp from any 123 to any Check " with ipfw -S show "that you are getting the result you want: However, other servers on the same LAN appear not to be able to see this NTPns server, always being in an INIT state. I wonder whether this might be a firewall issue, or whether the settings above should suffice both for NTPns as a client, and as a server. My reading is that they should, but I'm very unfamiliar with ipfw (and that's what I have to use). I use the following for my 4801 on 192.168.1.3 (show result), allowing all NTP requests IN 00960 55601149140 set 8 allow udp from any to 192.168.1.3 dst-port 123 via sis0 keep-state and letting any server initiated request out. I don’t restrict outgoing packets as I am the only user. 05100 9721814 1149904224 set 0 allow ip from 192.168.1.3 to any keep-state when I get odd things like this happening I select logging and see what is / is not getting through. ex. 00705 717773 274869433 set 2 allow log ip from not 192.168.0.0/16 to 192.168.1.3 dst-port 80 via sis0 keep-state to log all incoming http from the internet. It could be that your other servers have firewalls restricting some address traffic . you can use tcpdump to see what is on your LAN $ sudo tcpdump -p udp port 123 Password: Hold it up to the light --- not a brain in sight! Password: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes 18:06:01.575375 IP gluon.stratum1.d2g.com.ntp > ntp-p1.obspm.fr.ntp: NTPv4, Client, length 48 18:06:02.575056 IP gluon.stratum1.d2g.com.ntp > ns1.nexellent.net.ntp: NTPv4, Client, length 48 18:06:02.597744 IP ns1.nexellent.net.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 18:06:03.575860 IP gluon.stratum1.d2g.com.ntp > ch-ntp01.swiss-networks.net.ntp: NTPv4, Client, length 48 18:06:03.601883 IP ch-ntp01.swiss-networks.net.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 18:06:05.575561 IP gluon.stratum1.d2g.com.ntp > laurelineA.stratum1.d2g.com.ntp: NTPv4, Client, length 48 18:06:05.575815 IP laurelineA.stratum1.d2g.com.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 18:06:14.575661 IP gluon.stratum1.d2g.com.ntp > muon.stratum1.d2g.com.ntp: NTPv4, Client, length 48 18:06:14.576758 IP muon.stratum1.d2g.com.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 18:06:15.575563 IP gluon.stratum1.d2g.com.ntp > raspb1.home.ntp: NTPv4, Client, length 48 18:06:15.576416 IP raspb1.home.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 have fun Not sure that "fun" is quite the word to describe it! But that's a big help, Mike. At least I think it is. I would not have known the best options for tcpdump, although I have heard of the command. My raw tcpdump is, and sorry about the wrap! tcpdump -p udp port 123 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on sis0, link-type EN10MB (Ethernet), capture size 68 bytes 17:45:15.792240 IP 192.168.0.1.ntp > net4501.ntp: NTPv4, Client, length 48 17:45:48.808107 IP 192.168.0.1.ntp > net4501.ntp: NTPv4, Client, length 48 17:45:53.555475 IP net4501.ntp > 192.168.0.3.ntp: NTPv4, Client, length 48 17:45:53.555875 IP 192.168.0.3.ntp > net4501.ntp: NTPv4, Server, length 48 17:45:53.619489 IP net4501.ntp > 192.168.0.8.ntp: NTPv4, Client, length 48 17:45:53.620498 IP 192.168.0.8.ntp > net4501.ntp: NTPv4, Server, length 48 17:45:53.643496 IP net4501.ntp > 192.168.0.1.ntp: NTPv4, Client, length 48 17:45:53.643889 IP 192.168.0.1.ntp > net4501.ntp: NTPv4, Server, length 48 17:46:20.823583 IP 192.168.0.1.ntp > net4501.ntp: NTPv4, Client, length 48 17:46:52.838966 IP 192.168.0.1.ntp > net4501.ntp: NTPv4, Client, length 48 17:46:57.556443 IP net4501.ntp > 192.168.0.3.ntp: NTPv4, Client, length 48 17:46:57.556740 IP 192.168.0.3.ntp > net4501.ntp: NTPv4, Server, length 48 17:46:57.621216 IP net4501.ntp > 192.168.0.8.ntp: NTPv4, Client, length 48 17:46:57.622110 IP 192.168.0.8.ntp > net4501.ntp: NTPv4, Server, length 48 17:46:57.643393 IP net4501.ntp > 192.168.0.1.ntp: NTPv4, Client, length 48 17:46:57.643951 IP 192.168.0.1.ntp > net4501.ntp: NTPv4, Server, length 48 ^C 16 packets captured 542 packets received by filter 0 packets dropped by kernel which I think I can separate into two groups. The first is where the net4501 as a client is making requests to its servers, and getting responses back: 17:45:53.555475 IP net4501.ntp > 192.168.0.3.ntp: NTPv4, Client, length 48 17:45:53.555875 IP 192.168.0.3.ntp >
Re: [ntp:questions] Firewall requirements for NTP as both client and server
On Sun, Dec 28, 2014 at 11:11 AM, David Taylor < david-tay...@blueyonder.co.uk.invalid> wrote: > I wonder whether this might be a firewall issue The first question is always: does it work with the firewall off? ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Firewall requirements for NTP as both client and server
> Le 28 déc. 2014 à 17:11, David Taylor > a écrit : > > I'm trying to understand the firewall requirements for NTP. Using the > FreeBSD ipfw I have the following, which appears to allow NTPns to operate as > a client, i.e. it can get times from other servers on my LAN, and even from > the WAN. > > add 100 allow udp from any to any 123 > add 200 allow udp from any 123 to any > Check " with ipfw -S show "that you are getting the result you want: > However, other servers on the same LAN appear not to be able to see this > NTPns server, always being in an INIT state. I wonder whether this might be > a firewall issue, or whether the settings above should suffice both for NTPns > as a client, and as a server. My reading is that they should, but I'm very > unfamiliar with ipfw (and that's what I have to use). > I use the following for my 4801 on 192.168.1.3 (show result), allowing all NTP requests IN 00960 55601149140 set 8 allow udp from any to 192.168.1.3 dst-port 123 via sis0 keep-state and letting any server initiated request out. I don’t restrict outgoing packets as I am the only user. 05100 9721814 1149904224 set 0 allow ip from 192.168.1.3 to any keep-state when I get odd things like this happening I select logging and see what is / is not getting through. ex. 00705 717773 274869433 set 2 allow log ip from not 192.168.0.0/16 to 192.168.1.3 dst-port 80 via sis0 keep-state to log all incoming http from the internet. It could be that your other servers have firewalls restricting some address traffic . you can use tcpdump to see what is on your LAN $ sudo tcpdump -p udp port 123 Password: Hold it up to the light --- not a brain in sight! Password: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes 18:06:01.575375 IP gluon.stratum1.d2g.com.ntp > ntp-p1.obspm.fr.ntp: NTPv4, Client, length 48 18:06:02.575056 IP gluon.stratum1.d2g.com.ntp > ns1.nexellent.net.ntp: NTPv4, Client, length 48 18:06:02.597744 IP ns1.nexellent.net.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 18:06:03.575860 IP gluon.stratum1.d2g.com.ntp > ch-ntp01.swiss-networks.net.ntp: NTPv4, Client, length 48 18:06:03.601883 IP ch-ntp01.swiss-networks.net.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 18:06:05.575561 IP gluon.stratum1.d2g.com.ntp > laurelineA.stratum1.d2g.com.ntp: NTPv4, Client, length 48 18:06:05.575815 IP laurelineA.stratum1.d2g.com.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 18:06:14.575661 IP gluon.stratum1.d2g.com.ntp > muon.stratum1.d2g.com.ntp: NTPv4, Client, length 48 18:06:14.576758 IP muon.stratum1.d2g.com.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 18:06:15.575563 IP gluon.stratum1.d2g.com.ntp > raspb1.home.ntp: NTPv4, Client, length 48 18:06:15.576416 IP raspb1.home.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48 have fun > Thanks! > > -- > Cheers, > David > Web: http://www.satsignal.eu > > ___ > questions mailing list > questions@lists.ntp.org > http://lists.ntp.org/listinfo/questions ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
[ntp:questions] Firewall requirements for NTP as both client and server
I'm trying to understand the firewall requirements for NTP. Using the FreeBSD ipfw I have the following, which appears to allow NTPns to operate as a client, i.e. it can get times from other servers on my LAN, and even from the WAN. add 100 allow udp from any to any 123 add 200 allow udp from any 123 to any However, other servers on the same LAN appear not to be able to see this NTPns server, always being in an INIT state. I wonder whether this might be a firewall issue, or whether the settings above should suffice both for NTPns as a client, and as a server. My reading is that they should, but I'm very unfamiliar with ipfw (and that's what I have to use). Thanks! -- Cheers, David Web: http://www.satsignal.eu ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions