On Tue, Dec 12, 2023 at 04:34:09PM +0300, CpServiceSPb wrote:
> Hallelujah.
> It has worked.
Great.
> One question remained - how to bind client instances to the exact wan
> interface, not to 0.0.0.0 ?
The client's sockets can be bound to an address with the
bindacqaddress directive.
--
Hallelujah.
It has worked.
I will think about how to make an appropriate start/stop script.
> That suggests there is an unexpected chronyd instance running on the
system, maybe from a previous test which > wasn't terminated properly?
I investigated.
It is when lan/dmz config files are located in
On Tue, Dec 12, 2023 at 04:07:23PM +0300, CpServiceSPb wrote:
> Let' s clarify:
Yes, that looks good to me. Make sure no other chronyd instance is
running before you start those three.
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe"
in
Let' s clarify:
==
chronyd -f /etc/chrony-server-lan.conf
where /etc/chrony-server-lan.conf:
server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy
bindaddress lanIP
allow
cmdport 11323
bindcmdaddress /var/run/chrony/chronyd-server-lan.sock
pidfile /var/run/chronyd-server-lan.pid
driftfile
On Tue, Dec 12, 2023 at 03:49:10PM +0300, CpServiceSPb wrote:
> I will check about unexpected chrony instances.
> I use Ubuntu 22.04 LTS x64.
>
> Should I use the config you posted above and multi script or config and
> chrony -d ?
Don't use the script. It cannot set different bindaddresses. It
I will check about unexpected chrony instances.
I use Ubuntu 22.04 LTS x64.
Should I use the config you posted above and multi script or config and
chrony -d ?
вт, 12 дек. 2023 г. в 15:23, Miroslav Lichvar :
> On Mon, Dec 11, 2023 at 06:04:18PM +0300, CpServiceSPb wrote:
> > Which ports will
On Mon, Dec 11, 2023 at 06:04:18PM +0300, CpServiceSPb wrote:
> Which ports will be listened to, 123 ?
> I mean by server from clients in ln/dmz ?
Yes, 123.
> I did such a configuration.
>
> Launched as chronyd -d ang got:
> Could not add source 127.0.0.1
That would indicate you have the same
I did such a configuration.
Launched as chronyd -d ang got:
Could not add source 127.0.0.1
and netstat -anupt | grep 123
udp0 0 127.0.0.1:35180 127.0.0.1:11123
ESTABLISHED 135185/chronyd
udp0 0 dmzIP:11123 0.0.0.0:*
135185/chronyd
If I launched via multi
Which ports will be listened to, 123 ?
I mean by server from clients in ln/dmz ?
пн, 11 дек. 2023 г. в 17:26, Miroslav Lichvar :
> On Mon, Dec 11, 2023 at 05:08:32PM +0300, CpServiceSPb wrote:
> > Would you be so kind to post 2 config files for 2 different interfaces,
> for
> > example:
> >
On Mon, Dec 11, 2023 at 05:08:32PM +0300, CpServiceSPb wrote:
> Would you be so kind to post 2 config files for 2 different interfaces, for
> example:
> lan = 192.168.0.254/99
> dmz = 172.17.0.254/99
1st server instance:
server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy
bindaddress
Would you be so kind to post 2 config files for 2 different interfaces, for
example:
lan = 192.168.0.254/99
dmz = 172.17.0.254/99
and multiple launching script.
пн, 11 дек. 2023 г. в 17:05, Miroslav Lichvar :
> On Thu, Dec 07, 2023 at 12:33:57AM +0300, CpServiceSPb wrote:
> > I really don't
On Thu, Dec 07, 2023 at 12:33:57AM +0300, CpServiceSPb wrote:
> I really don't understand how to specify the interface address for each
> instance.
> Here are my config files:
> *conf.d/lan.conf*
> server lanIP port 11123 minpoll 0 maxpoll 0 copy
> allow
> bindcmdaddress
I use chronyd version 4.3 on Ubuntu 22.04 x64 LTS.
чт, 7 дек. 2023 г. в 00:33, CpServiceSPb :
> I really don't understand how to specify the interface address for each
> instance.
> Here are my config files:
> *conf.d/lan.conf*
> server lanIP port 11123 minpoll 0 maxpoll 0 copy
> allow
>
I really don't understand how to specify the interface address for each
instance.
Here are my config files:
*conf.d/lan.conf*
server lanIP port 11123 minpoll 0 maxpoll 0 copy
allow
bindcmdaddress /var/run/chrony/chronyd-server_lan.sock
cmdport 11323
pidfile /var/run/chrony/chronyd-server_lan.pid
On Wed, Dec 06, 2023 at 12:28:01AM +0300, CpServiceSPb wrote:
> Can you either post a link or detailed instruction on how to launch
> multiple chrony server instances for the same port but different
> interfaces/addresses ?
Here is an example:
It seems I found out what is permissions issue where.
It is necessary to add in apparmor chroyd file appropriate paths with write
permissions.
For example:
@{run}/chrony1/{,*} rw,
@{run}/chrony2/{,*} rw,
and there is no necessity to set permissions manually.
All is done automatically.
But in
I set up _chrony user and _chrony group for /var/run/chrony1 and even set
up 755 permission to the folder.
Here is my one config at :/etc/chrony/conf.d /lan.conf
At the time only one file:
server 192.168.0.200 port 1123 minpoll 0 maxpoll 0 copy
allow
cmdport 1123
bindcmdaddress
Can you either post a link or detailed instruction on how to launch
multiple chrony server instances for the same port but different
interfaces/addresses ?
пн, 4 дек. 2023 г. в 18:25, Miroslav Lichvar :
> On Thu, Nov 30, 2023 at 11:04:37PM +0300, CpServiceSPb wrote:
> > But there is
> > сен 05
On Thu, Nov 30, 2023 at 11:04:37PM +0300, CpServiceSPb wrote:
> But there is
> сен 05 22:55:07 key chronyd[152706]: chronyd version 4.3 starting (+CMDMON
> +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH
> +IPV6 -DEBUG)
> сен 05 22:55:07 key chronyd-starter.sh[152704]: Could
I couldn' t launch multiple instances of chrony.
I added lan.conf to the conf.d folder additionally to the main config file:
server lan_IP port 123 minpoll 0 maxpoll 0 copy
allow
cmdport 123
bindcmdaddress /var/run/cc/chronyd-server1.sock
pidfile /var/run/cc/chronyd-server1.pid
driftfile
I couldn' t launch multiple instances of chrony.
I added lan.conf to the conf.d folder additionally to the main config file:
server lan_IP port 123 minpoll 0 maxpoll 0 copy
allow
cmdport 123
bindcmdaddress /var/run/cc/chronyd-server1.sock
pidfile /var/run/cc/chronyd-server1.pid
driftfile
Adding this way of packet handling will bring a huge competition advantage
for chrony.
I think.
Here is some onfi about netlink practical usgee, in Russian, but you can
read it via Google translator.
Anyway, thanks in advance.
вт, 5 сент. 2023 г. в 17:03, Miroslav Lichvar :
> On Tue, Sep 05,
On Tue, Sep 05, 2023 at 04:33:11PM +0300, CpServiceSPb wrote:
> > That would make more sense for security. However, it's not a simple thing
> > to implement as peer associations use the server sockets too, so there
> > would need to be some code selecting the right socket.
> Maybe it is worth
> It makes no difference. These settings are about ARP
(L2->L3,translation) and multiple interfaces in the
> same network.
So strange. I thought that it is for multiple interfaces ...
> That would make more sense for security. However, it's not a simple thing
> to implement as peer associations
On Tue, Sep 05, 2023 at 03:44:35PM +0300, CpServiceSPb wrote:
> Due to Weak ES mode in Linux OSes, please remake a test but change a little
> bit test conditions:
> When aiming for Strong ES Model in Linux, you'll first need these sysctl
> settings:
> net.ipv4.conf.all.arp_filter=1
>
As I found out unfortunately we are both right.
But I am right for BSD and Vista+ OSes, you are right for Linux OSes.
I am talking about Weak and Strong ES modes.
Due to Weak ES mode in Linux OSes, please remake a test but change a little
bit test conditions:
When aiming for Strong ES Model in
Maybe did multiple binddeviceinstead for the specified purpose ?
вт, 5 сент. 2023 г. в 15:17, CpServiceSPb :
> I don' t understand how packets are thrown between interfaces with IP
> forwarding off.
> Maybe nevertheless there is 0.0.0.0 binding.
>
>
> вт, 5 сент. 2023 г. в 15:10, CpServiceSPb :
I don' t understand how packets are thrown between interfaces with IP
forwarding off.
Maybe nevertheless there is 0.0.0.0 binding.
вт, 5 сент. 2023 г. в 15:10, CpServiceSPb :
> As you added the functionality, can you send this version ?
> I will test as well on my own.
>
>
> вт, 5 сент. 2023 г.
As you added the functionality, can you send this version ?
I will test as well on my own.
вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar :
> On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote:
> > I may be wrong but as I understand that binding to an address is almost
> the
> > same
On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote:
> I may be wrong but as I understand that binding to an address is almost the
> same as binding to an interface.
I think those are two different things. In chrony there is the
binddevice directive for binding to a device. It can be
Hi.
Any new information regarding adding functionality specified by the topic ?
чт, 31 авг. 2023 г. в 00:06, CpServiceSPb :
> Each opened (listening) socket in the system is a potential vulnerability.
>
> I may be wrong but as I understand that binding to an address is almost
> the same as
Each opened (listening) socket in the system is a potential vulnerability.
I may be wrong but as I understand that binding to an address is almost the
same as binding to an interface.
Maybe I am wrong, again.
And it is meaning that an appropriate opened socket will receive packers
only from the
On Wed, Aug 30, 2023 at 12:49:34PM +0300, CpServiceSPb wrote:
> > Why is it not good? Is it meant to be a security measure? Would firewall
> not work better?
> There are sockets in a system.
> Sometimes a firewall can pass packets due to its malfunction or not
> accurate settings.
> If there are
> Why is it not good? Is it meant to be a security measure? Would firewall
not work better?
There are sockets in a system.
Sometimes a firewall can pass packets due to its malfunction or not
accurate settings.
If there are no extra sockets it is much much better for security.
> For compatibility
On Wed, Aug 30, 2023 at 10:19:56AM +0300, CpServiceSPb wrote:
> There are some multihomed computers which have several network interfaces,
> for example lan, wif1i, wifi2, dmz, wan.
> At the time chrony are binded either to 0.0.0.0 address, which is meaning "
> listen on every available network
35 matches
Mail list logo
