Tim Shoppa wrote: > > Maybe I'm just a networking dinosaur, but why a router or firewall > would even want to connection tracking on a connectionless > protocol like NTP over UDP is beyond me. > The "problem" is that most home routers are NA(P)T routers. It has even become that bad, that to get a system connected to an ADSL line transparently is becoming a real problem. For example, here in the Netherlands all ADSL lines are delivered with a free Thomson/Alcatel SpeedTouch modem/router.
The old versions of this device (up to v4 of the hardware) could be tweaked to transparently bridge the PPP over ATM connection to a single system connected to the ethernet port. So, on my system one of my ethernet cards has my external IP address configured as its address, and my (old) SpeedTouch transparently bridges this to PPPoATM. No routing, no NAT. Newer versions (v5 and upwards) no longer can do this. The ethernet side operates a DHCP server and your systems get a dynamic address. All Internet traffic is NAT-translated between the outside address and your internally used address. Via some trickery you can arrange that your internal system gets the same address as your external line, but then the NAT engine *still* is between them, translating everything 1:1 but needlessly keeping all its connection tables. For NTP service you would do a port mapping of the incoming packets to port 123 to the internal system, and the router (needlessly) keeps a "session" for each external system sending a packet to you, your reply back, and then keeps that for some small amount of time. This table will overflow. And the router will malfunction no matter what, when you put heavy traffic through it, or use IPsec. I have tried really hard to get this issue registered at the Thomson helpdesk, and they patiently listen but only suggest all kinds of methods (via the GUI or the commandline interface) that finally result in the 1:1 NAT being present. This makes all new Thomson devices essentially useless except for the typical home with 1-4 Windows PCs surfing the Internet, of course their biggest audience. I never heard anything back on a request to put back the old bridging. I have looked many times, but I still have not found a worthy replacement of the old line of Thomson/Alcatel modems (SpeedTouch Home, 510, 516, 546) in their old (v4 and before) hardware versions. Everything on sale now is a NAT router, bare ADSL modems are a thing of the past, it seems. Other manufacturers usually have similar issues. Even the routers based on Linux do. This makes a sturdy NTP server a little hard to do. Although on a Linux-based router it could of course be run on the router and hopefully avoid the problem, at least when connection tracking is not used for that UDP port (of course it is useless). Rob _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
