On 12/05/17 21:15, Roberto C. Sánchez wrote: > > [SNIP] >> Chain loc-net (1 references) >> pkts bytes target prot opt in out source >> destination >> 11685 3316K ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 ctstate RELATED,ESTABLISHED >> 21402 1627K ACCEPT udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 udp dpt:123 /* NTP */ >> 1373 164K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > [SNIP] > > It looks like you have many UDP packets pass from the loc zone to the > net zone. Also, the log entries at the bottom of the dump output do not > show any drops or rejects for UDP port 123. Could you induce the > failure and run 'shorewall dump' again and then provide that output?
And there are plenty of counters that say your packets are being accepted, but no conntrack table entries to say that they've been replied to. I wonder if you have chosen NTP servers which aren't responding. Try some well-known public ones with stable IPs like time.apple.com or ntp.ubuntu.com to see whether they are responsive. Paul ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
