On Tue, Dec 12, 2023 at 04:34:09PM +0300, CpServiceSPb wrote:
> Hallelujah.
> It has worked.
Great.
> One question remained - how to bind client instances to the exact wan
> interface, not to 0.0.0.0 ?
The client's sockets can be bound to an address with the
bindacqaddress directive.
--
Hallelujah.
It has worked.
I will think about how to make an appropriate start/stop script.
> That suggests there is an unexpected chronyd instance running on the
system, maybe from a previous test which > wasn't terminated properly?
I investigated.
It is when lan/dmz config files are located in
On Tue, Dec 12, 2023 at 04:07:23PM +0300, CpServiceSPb wrote:
> Let' s clarify:
Yes, that looks good to me. Make sure no other chronyd instance is
running before you start those three.
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe"
in
Let' s clarify:
==
chronyd -f /etc/chrony-server-lan.conf
where /etc/chrony-server-lan.conf:
server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy
bindaddress lanIP
allow
cmdport 11323
bindcmdaddress /var/run/chrony/chronyd-server-lan.sock
pidfile /var/run/chronyd-server-lan.pid
driftfile
On Tue, Dec 12, 2023 at 03:49:10PM +0300, CpServiceSPb wrote:
> I will check about unexpected chrony instances.
> I use Ubuntu 22.04 LTS x64.
>
> Should I use the config you posted above and multi script or config and
> chrony -d ?
Don't use the script. It cannot set different bindaddresses. It
I will check about unexpected chrony instances.
I use Ubuntu 22.04 LTS x64.
Should I use the config you posted above and multi script or config and
chrony -d ?
вт, 12 дек. 2023 г. в 15:23, Miroslav Lichvar :
> On Mon, Dec 11, 2023 at 06:04:18PM +0300, CpServiceSPb wrote:
> > Which ports will
On Mon, Dec 11, 2023 at 06:04:18PM +0300, CpServiceSPb wrote:
> Which ports will be listened to, 123 ?
> I mean by server from clients in ln/dmz ?
Yes, 123.
> I did such a configuration.
>
> Launched as chronyd -d ang got:
> Could not add source 127.0.0.1
That would indicate you have the same
I did such a configuration.
Launched as chronyd -d ang got:
Could not add source 127.0.0.1
and netstat -anupt | grep 123
udp0 0 127.0.0.1:35180 127.0.0.1:11123
ESTABLISHED 135185/chronyd
udp0 0 dmzIP:11123 0.0.0.0:*
135185/chronyd
If I launched via multi
Which ports will be listened to, 123 ?
I mean by server from clients in ln/dmz ?
пн, 11 дек. 2023 г. в 17:26, Miroslav Lichvar :
> On Mon, Dec 11, 2023 at 05:08:32PM +0300, CpServiceSPb wrote:
> > Would you be so kind to post 2 config files for 2 different interfaces,
> for
> > example:
> >
On Mon, Dec 11, 2023 at 05:08:32PM +0300, CpServiceSPb wrote:
> Would you be so kind to post 2 config files for 2 different interfaces, for
> example:
> lan = 192.168.0.254/99
> dmz = 172.17.0.254/99
1st server instance:
server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy
bindaddress
Would you be so kind to post 2 config files for 2 different interfaces, for
example:
lan = 192.168.0.254/99
dmz = 172.17.0.254/99
and multiple launching script.
пн, 11 дек. 2023 г. в 17:05, Miroslav Lichvar :
> On Thu, Dec 07, 2023 at 12:33:57AM +0300, CpServiceSPb wrote:
> > I really don't
On Thu, Dec 07, 2023 at 12:33:57AM +0300, CpServiceSPb wrote:
> I really don't understand how to specify the interface address for each
> instance.
> Here are my config files:
> *conf.d/lan.conf*
> server lanIP port 11123 minpoll 0 maxpoll 0 copy
> allow
> bindcmdaddress
I use chronyd version 4.3 on Ubuntu 22.04 x64 LTS.
чт, 7 дек. 2023 г. в 00:33, CpServiceSPb :
> I really don't understand how to specify the interface address for each
> instance.
> Here are my config files:
> *conf.d/lan.conf*
> server lanIP port 11123 minpoll 0 maxpoll 0 copy
> allow
>
I really don't understand how to specify the interface address for each
instance.
Here are my config files:
*conf.d/lan.conf*
server lanIP port 11123 minpoll 0 maxpoll 0 copy
allow
bindcmdaddress /var/run/chrony/chronyd-server_lan.sock
cmdport 11323
pidfile /var/run/chrony/chronyd-server_lan.pid
On Wed, Dec 06, 2023 at 12:28:01AM +0300, CpServiceSPb wrote:
> Can you either post a link or detailed instruction on how to launch
> multiple chrony server instances for the same port but different
> interfaces/addresses ?
Here is an example:
It seems I found out what is permissions issue where.
It is necessary to add in apparmor chroyd file appropriate paths with write
permissions.
For example:
@{run}/chrony1/{,*} rw,
@{run}/chrony2/{,*} rw,
and there is no necessity to set permissions manually.
All is done automatically.
But in
I set up _chrony user and _chrony group for /var/run/chrony1 and even set
up 755 permission to the folder.
Here is my one config at :/etc/chrony/conf.d /lan.conf
At the time only one file:
server 192.168.0.200 port 1123 minpoll 0 maxpoll 0 copy
allow
cmdport 1123
bindcmdaddress
Can you either post a link or detailed instruction on how to launch
multiple chrony server instances for the same port but different
interfaces/addresses ?
пн, 4 дек. 2023 г. в 18:25, Miroslav Lichvar :
> On Thu, Nov 30, 2023 at 11:04:37PM +0300, CpServiceSPb wrote:
> > But there is
> > сен 05
On Thu, Nov 30, 2023 at 11:04:37PM +0300, CpServiceSPb wrote:
> But there is
> сен 05 22:55:07 key chronyd[152706]: chronyd version 4.3 starting (+CMDMON
> +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH
> +IPV6 -DEBUG)
> сен 05 22:55:07 key chronyd-starter.sh[152704]: Could
I couldn' t launch multiple instances of chrony.
I added lan.conf to the conf.d folder additionally to the main config file:
server lan_IP port 123 minpoll 0 maxpoll 0 copy
allow
cmdport 123
bindcmdaddress /var/run/cc/chronyd-server1.sock
pidfile /var/run/cc/chronyd-server1.pid
driftfile
I couldn' t launch multiple instances of chrony.
I added lan.conf to the conf.d folder additionally to the main config file:
server lan_IP port 123 minpoll 0 maxpoll 0 copy
allow
cmdport 123
bindcmdaddress /var/run/cc/chronyd-server1.sock
pidfile /var/run/cc/chronyd-server1.pid
driftfile
Adding this way of packet handling will bring a huge competition advantage
for chrony.
I think.
Here is some onfi about netlink practical usgee, in Russian, but you can
read it via Google translator.
Anyway, thanks in advance.
вт, 5 сент. 2023 г. в 17:03, Miroslav Lichvar :
> On Tue, Sep 05,
On Tue, Sep 05, 2023 at 04:33:11PM +0300, CpServiceSPb wrote:
> > That would make more sense for security. However, it's not a simple thing
> > to implement as peer associations use the server sockets too, so there
> > would need to be some code selecting the right socket.
> Maybe it is worth
> It makes no difference. These settings are about ARP
(L2->L3,translation) and multiple interfaces in the
> same network.
So strange. I thought that it is for multiple interfaces ...
> That would make more sense for security. However, it's not a simple thing
> to implement as peer associations
On Tue, Sep 05, 2023 at 03:44:35PM +0300, CpServiceSPb wrote:
> Due to Weak ES mode in Linux OSes, please remake a test but change a little
> bit test conditions:
> When aiming for Strong ES Model in Linux, you'll first need these sysctl
> settings:
> net.ipv4.conf.all.arp_filter=1
>
As I found out unfortunately we are both right.
But I am right for BSD and Vista+ OSes, you are right for Linux OSes.
I am talking about Weak and Strong ES modes.
Due to Weak ES mode in Linux OSes, please remake a test but change a little
bit test conditions:
When aiming for Strong ES Model in
Maybe did multiple binddeviceinstead for the specified purpose ?
вт, 5 сент. 2023 г. в 15:17, CpServiceSPb :
> I don' t understand how packets are thrown between interfaces with IP
> forwarding off.
> Maybe nevertheless there is 0.0.0.0 binding.
>
>
> вт, 5 сент. 2023 г. в 15:10, CpServiceSPb :
I don' t understand how packets are thrown between interfaces with IP
forwarding off.
Maybe nevertheless there is 0.0.0.0 binding.
вт, 5 сент. 2023 г. в 15:10, CpServiceSPb :
> As you added the functionality, can you send this version ?
> I will test as well on my own.
>
>
> вт, 5 сент. 2023 г.
As you added the functionality, can you send this version ?
I will test as well on my own.
вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar :
> On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote:
> > I may be wrong but as I understand that binding to an address is almost
> the
> > same
On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote:
> I may be wrong but as I understand that binding to an address is almost the
> same as binding to an interface.
I think those are two different things. In chrony there is the
binddevice directive for binding to a device. It can be
Hi.
Any new information regarding adding functionality specified by the topic ?
чт, 31 авг. 2023 г. в 00:06, CpServiceSPb :
> Each opened (listening) socket in the system is a potential vulnerability.
>
> I may be wrong but as I understand that binding to an address is almost
> the same as
Each opened (listening) socket in the system is a potential vulnerability.
I may be wrong but as I understand that binding to an address is almost the
same as binding to an interface.
Maybe I am wrong, again.
And it is meaning that an appropriate opened socket will receive packers
only from the
On Wed, Aug 30, 2023 at 12:49:34PM +0300, CpServiceSPb wrote:
> > Why is it not good? Is it meant to be a security measure? Would firewall
> not work better?
> There are sockets in a system.
> Sometimes a firewall can pass packets due to its malfunction or not
> accurate settings.
> If there are
> Why is it not good? Is it meant to be a security measure? Would firewall
not work better?
There are sockets in a system.
Sometimes a firewall can pass packets due to its malfunction or not
accurate settings.
If there are no extra sockets it is much much better for security.
> For compatibility
On Wed, Aug 30, 2023 at 10:19:56AM +0300, CpServiceSPb wrote:
> There are some multihomed computers which have several network interfaces,
> for example lan, wif1i, wifi2, dmz, wan.
> At the time chrony are binded either to 0.0.0.0 address, which is meaning "
> listen on every available network
There are some multihomed computers which have several network interfaces,
for example lan, wif1i, wifi2, dmz, wan.
At the time chrony are binded either to 0.0.0.0 address, which is meaning "
listen on every available network interface " or only once specified
interface/address by "bind..."
36 matches
Mail list logo
