On Mon, Jun 06, 2011 at 10:14:03PM +0100, Christopher Slater-Walker wrote:
On 6 Jun 2011, at 20:41, Chuck Swiger wrote:
You almost certainly don't want to be implementing stateful rules for NTP
traffic; you'll fill up the state table with lots of entries for no
benefit, as UDP isn't
Richard Braun wrote:
On Mon, Jun 06, 2011 at 10:14:03PM +0100, Christopher Slater-Walker wrote:
On 6 Jun 2011, at 20:41, Chuck Swiger wrote:
You almost certainly don't want to be implementing stateful rules for NTP
traffic; you'll fill up the state table with lots of entries for no
On Jun 9, 2011, at 9:20 AM, Rob Janssen wrote:
[ ... ]
But this discussion was about a monitoring system that sends NTP requests
from high-numbered ports to port 123 on a distant server.
It certainly makes sense to use a connection tracking firewall on such a
system, because if you want to
On 06/06/11 16:11, Vincent Schonau wrote:
I see the same thing; it seems the monitor probe is not getting some of my
return packets.
Comparing the timestamps in the below tcpdump with those in the monitor CSV,
I'm pretty sure I do see and respond to all requests, but some of my responses
are
It all seems to be working for me now. I'm seeing regular monitoring packets
coming in, and my score in the beta system is 14.6.
--ChrisSW
On 6 Jun 2011, at 19:55, Anssi Johansson wrote:
Ask Bjørn Hansen kirjoitti:
On Jun 6, 2011, at 7:06, Koen Martens g...@sonologic.nl wrote:
I just tried
I don't know how ip6tables works, but most (all?) commercial firewalls I've
worked with - which means Cisco and Checkpoint - maintain a connection in the
connection table for UDP for a set period of time. Exactly how long that is, I
can't actually remember right now. This is really a necessity
On Jun 6, 2011, at 2:14 PM, Christopher Slater-Walker wrote:
I don't know how ip6tables works, but most (all?) commercial firewalls I've
worked with - which means Cisco and Checkpoint - maintain a connection in the
connection table for UDP for a set period of time.
They _can_ maintain UDP
OK, I get it now...!
That was a good explanation. Never having run a high-volume NTP server myself,
I had not considered those facts.
--ChrisSW
On 8 Jun 2011, at 16:19, Richard Braun wrote:
On Mon, Jun 06, 2011 at 10:14:03PM +0100, Christopher Slater-Walker wrote:
On 6 Jun 2011, at 20:41,
When it shows an unsuccessful poll, I don't see a query at that time,
but I do typically see a couple of others at about the relevant time,
perhaps 4 - 6 seconds apart. These ones don't appear in the monitor log.
The most likely explanation is routing glitches. I'd try to establish
a
On 08/06/11 19:43, Martin v. Löwis wrote:
When it shows an unsuccessful poll, I don't see a query at that time,
but I do typically see a couple of others at about the relevant time,
perhaps 4 - 6 seconds apart. These ones don't appear in the monitor log.
The most likely explanation is routing
On Jun 7, 2011, at 1:51 AM, Rob Janssen wrote:
You almost certainly don't want to be implementing stateful rules for NTP
traffic; you'll fill up the state table with lots of entries for no benefit,
as UDP isn't stateful.
Just pass UDP 123 and ephemeral high ports in both directions.
On Mon, 6 Jun 2011 04:03:42 -0700, Ask Bjørn Hansen a...@develooper.com
wrote:
The system running http://www.beta.grundclock.com/ is now monitoring the
IPv6 servers. If you added one, please have a look!
I'm currently seeing about every other query packet getting no response
and thus my score
Am 06.06.2011 um 14:46 schrieb John Winters:
On Mon, 6 Jun 2011 04:03:42 -0700, Ask Bjørn Hansen a...@develooper.com
wrote:
The system running http://www.beta.grundclock.com/ is now monitoring the
IPv6 servers. If you added one, please have a look!
I'm currently seeing about every other
On 06.06.2011 14:46, John Winters wrote:
On Mon, 6 Jun 2011 04:03:42 -0700, Ask Bjørn Hansena...@develooper.com
wrote:
The system running http://www.beta.grundclock.com/ is now monitoring the
IPv6 servers. If you added one, please have a look!
I'm currently seeing about every other query
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, Jun 06, 2011 at 03:20:14PM +0200, Peter Hessler wrote:
On 2011 Jun 06 (Mon) at 13:46:43 +0100 (+0100), John Winters wrote:
:I'm currently seeing about every other query packet getting no response
:and thus my score (after a brief flirtation
Same here on two different servers, both with native IPv6 connections. The
scores were up to -15.0 but are now back to -30.0.
--Tilman
Am 06.06.2011 um 15:20 schrieb Peter Hessler:
On 2011 Jun 06 (Mon) at 13:46:43 +0100 (+0100), John Winters wrote:
:On Mon, 6 Jun 2011 04:03:42 -0700, Ask
I see the same thing; it seems the monitor probe is not getting some of my
return packets.
Comparing the timestamps in the below tcpdump with those in the monitor CSV,
I'm pretty sure I do see and respond to all requests, but some of my responses
are getting lost or ignored.
V.
--
John Winters kirjoitti:
On Mon, 6 Jun 2011 04:03:42 -0700, Ask Bjørn Hansen a...@develooper.com
wrote:
The system running http://www.beta.grundclock.com/ is now monitoring the
IPv6 servers. If you added one, please have a look!
I'm currently seeing about every other query packet getting no
On 06/06/11 16:11, Vincent Schonau wrote:
I see the same thing; it seems the monitor probe is not getting some of my
return packets.
Comparing the timestamps in the below tcpdump with those in the monitor CSV,
I'm pretty sure I do see and respond to all requests, but some of my responses
are
Ask Bjørn Hansen kirjoitti:
On Jun 6, 2011, at 7:06, Koen Martens g...@sonologic.nl wrote:
I just tried adding my server to the beta pool (it's on ipv6), but the beta
server claims not to get a response. tcpdump does show me an incoming ntp
packet as well as an outgoing packet in reply.
On Jun 6, 2011, at 5:46, John Winters wrote:
On Mon, 6 Jun 2011 04:03:42 -0700, Ask Bjørn Hansen a...@develooper.com
wrote:
The system running http://www.beta.grundclock.com/ is now monitoring the
IPv6 servers. If you added one, please have a look!
I'm currently seeing about every other
On Jun 6, 2011, at 10:39 AM, Ask Bjørn Hansen wrote:
ip6tables on Linux doesn't seem to have state tracking and it appears I
messed up the firewall rules a bit. I realized it last night actually as I
was going to bed, but it was already crazy o'clock. I will get them fixed
within an hour
On Jun 6, 2011, at 11:55, Anssi Johansson wrote:
ip6tables on Linux doesn't seem to have state tracking and it appears I
messed up the firewall rules a bit. I realized it last night actually as I
was going to bed, but it was already crazy o'clock. I will get them fixed
within an hour
23 matches
Mail list logo
