Re: NTP doesn't work behind IPF firewall?

2004-01-22 Thread Ed Budd 
On Thu, 22 Jan 2004 02:21:56 -0700
"Edward Aronyk" <[EMAIL PROTECTED]> wrote:

> Good day all,
> 
> I'm attempting to setup NTP on two FreeBSD servers. To maximize
> security, I have configured NTP to only synchronize itself from a few
> other servers, and not offer NTP to other servers. The server runs
> IPF, which also blocks access to NTP. The problem is, the servers
> don't seem to update the time at all. I know ntp is running because it
> updates the driftfile, and ps shows it's active:
> 
> # ps -aux | grep ntp
> root   81  0.0  0.2  1328  960  ??  Ss9Jan04   1:06.65
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root   83  0.0  0.2  1364  992  ??  S 9Jan04   0:15.67
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root47532  0.0  0.0   304  164  p0  R+2:14AM   0:00.00
> grep ntp
> 
> I can't seem to connect to it locally, however:
> 
> # ntpq -p
> 127.0.0.1: timed out, nothing received
> ***Request timed out
> 
> It is properly started from rc.conf:
> 
> # cat /etc/rc.conf | grep ntp
> xntpd_enable="YES"
> 
> And it does seem to be started during bootup:
> 
> # cat /var/log/messages | grep ntp
> Jan  4 01:27:43 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0
> Jan  4 01:27:43 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0
> intpin 2
> Jan  4 01:27:43 boudica ntpd[82]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT
> 2003(1)
> Jan  4 01:27:43 boudica ntpd[82]: kernel time discipline status 2040
> Jan  9 20:51:21 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0
> Jan  9 20:51:21 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0
> intpin 2
> Jan  9 20:51:21 boudica ntpd[81]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT
> 2003(1)
> Jan  9 20:51:21 boudica ntpd[81]: kernel time discipline status 2040
> 
> Does anyone have any advice? I'd prefer to leave the NTP port closed
> if possible. This problem is present for me on both FreeBSD 4.8 and
> 5.1. I have included my NTP configuration and IPF ruleset below incase
> it helps anyone.
> 
> ---ntp.conf---
> # cat /etc/ntp.conf
> server subitaneous.cpsc.ucalgary.ca prefer
> server tick.mit.edu
> server ntp1.cmc.ec.gc.ca
> server ntp2.cmc.ec.gc.ca
> server clock1.unc.edu
> 
> driftfile /etc/ntp.drift
> 
> restrict default ignore
> 
> ---ntp.drift---
> # cat /etc/ntp.drift
> 0.000
> 
> ---ipf.rules---
> # cat /etc/ipf.rules
> # Default deny
> block in on fxp0
> 
> # Pass in and out on loopback
> pass in quick on lo0
> pass out quick on lo0
> 
> # Anti-spoofing
> block in quick on fxp0 from 192.168.0.0/16 to any
> block in quick on fxp0 from 172.16.0.0/12 to any
> block in quick on fxp0 from 10.0.0.0/8 to any
> block in quick on fxp0 from 127.0.0.1/8 to any
> block in quick on fxp0 from 0.0.0.0/8 to any
> 
> # Allow certain useful ICMP packets
> pass in quick on fxp0 proto icmp from any to any icmp-type 0
> pass in quick on fxp0 proto icmp from any to any icmp-type 8
> pass in quick on fxp0 proto icmp from any to any icmp-type 11
> block in log quick on fxp0 proto icmp from any to any
> 
> # Allow outbound connections
> pass out quick on fxp0 proto tcp/udp from any to any keep state
> pass out quick on fxp0 proto icmp from any to any keep state
> 
> # Allow inbound useful packets
> pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep
> state keep frags # SSH
> pass in quick on fxp0 proto tcp from any to any port = 25 flags S keep
> state keep frags # SMTP
> pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep
> state keep frags # HTTP
> pass in quick on fxp0 proto tcp from any to any port = 110 flags S
> keep state keep frags # POP
> pass in quick on fxp0 proto tcp from any to any port = 143 flags S
> keep state keep frags # IMAP
> pass in quick on fxp0 proto tcp from any to any port = 993 flags S
> keep state keep frags # IMAP/SSL
> 
> 
> 
> Thanks for your time,
> Edward Aronyk
> [EMAIL PROTECTED]
> 
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"

Hi,

Not 100% sure on this but I think you need to include the loopback in
your server list in ntp.conf, especially since you're specifying
default ignore:

server 127.0.0.1

Cheers,
EB

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: NTP doesn't work behind IPF firewall?

2004-01-22 Thread Scott Mitchell 
[EMAIL PROTECTED] wrote:
> If I kill both ntpd processes so the socket is no longer in use, I can
> manually set the time with ntpdate. I can't figure out why two ntpd
> processes get spawned - it's like that on both servers, and
> even after a
> reboot both appear again...
> 
> EA

Most odd.  What happens if you set xntpd_enable="NO" in rc.conf?  Do you
still end up with an ntpd process running after a reboot?

On the plus side, it looks as though your firewall is fine.

Scott

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: NTP doesn't work behind IPF firewall?

2004-01-22 Thread Edward Aronyk 
If I kill both ntpd processes so the socket is no longer in use, I can
manually set the time with ntpdate. I can't figure out why two ntpd
processes get spawned - it's like that on both servers, and even after a
reboot both appear again...

EA

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Mitchell
Sent: Thursday, January 22, 2004 2:42 AM
To: 'Edward Aronyk'; [EMAIL PROTECTED]
Subject: RE: NTP doesn't work behind IPF firewall?

[EMAIL PROTECTED] wrote:
> I know ntp is running because it updates the driftfile,
> and ps shows it's active:
> 
> # ps -aux | grep ntp
> root   81  0.0  0.2  1328  960  ??  Ss9Jan04   1:06.65
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root   83  0.0  0.2  1364  992  ??  S 9Jan04   0:15.67
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root47532  0.0  0.0   304  164  p0  R+2:14AM 0:00.00 grep
> ntp 

I'm not sure why you have 2 ntpd processes running there - I only ever see
one:

(505) llama:~ $ ps uaxww | grep ntpd
root 77934  0.0  0.2  1312  900  ??  Ss   Sun04pm   0:12.45
/usr/sbin/ntpd -p /var/run/ntpd.pid

I'd suggest killing both of those ntpd processes and starting it up again.
Actually, before you restarting, try manually synchronising with one of your
servers, eg:

# ntpdate subitaneous.cpsc.ucalgary.ca

That will at least tell you that you can talk NTP with this server.  I
assume all the servers in your ntp.conf are public ones that your host is
allowed to use?

The firewall rules look OK, although you might want to add 'log' to your
default block rule while diagnosing a problem like this, so you'll be told
if ipf is blocking any of the packets you're interested in.

Scott

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: NTP doesn't work behind IPF firewall?

2004-01-22 Thread Scott Mitchell 
[EMAIL PROTECTED] wrote:
> I know ntp is running because it updates the driftfile,
> and ps shows it's active:
> 
> # ps -aux | grep ntp
> root   81  0.0  0.2  1328  960  ??  Ss9Jan04   1:06.65
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root   83  0.0  0.2  1364  992  ??  S 9Jan04   0:15.67
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root47532  0.0  0.0   304  164  p0  R+2:14AM 0:00.00 grep
> ntp 

I'm not sure why you have 2 ntpd processes running there - I only ever see
one:

(505) llama:~ $ ps uaxww | grep ntpd
root 77934  0.0  0.2  1312  900  ??  Ss   Sun04pm   0:12.45
/usr/sbin/ntpd -p /var/run/ntpd.pid

I'd suggest killing both of those ntpd processes and starting it up again.
Actually, before you restarting, try manually synchronising with one of your
servers, eg:

# ntpdate subitaneous.cpsc.ucalgary.ca

That will at least tell you that you can talk NTP with this server.  I
assume all the servers in your ntp.conf are public ones that your host is
allowed to use?

The firewall rules look OK, although you might want to add 'log' to your
default block rule while diagnosing a problem like this, so you'll be told
if ipf is blocking any of the packets you're interested in.

Scott

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"