On Wednesday 24 April 2002 11:11 pm, [EMAIL PROTECTED] wrote: > On Wed, Apr 24, 2002 at 11:04:01PM -0700, Ryan wrote: > > The following seems to be happening... > > > > connections to a udp server on nat work fine both ways. > > > > connections to a udp server on bob only work for sending data to bob. > > > > in tcpdump, I see nat telling bob that the udp port is unreachable, yet > > bob has no firewall. > > > > Very odd..... > > Can you paste a 10 line tcpdump log showing this event?
23:18:56.151057 bob.ntp > nat.ntp: [udp sum ok] v4 client strat 0 poll 4 prec -6 dist 1.000000 disp 1.000000 ref (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt -1066262965.417984008 (DF) (ttl 64, id 0, len 76) 23:18:56.151341 nat > bob: icmp: nat udp port ntp unreachable for bob.ntp > nat.ntp: v4 client strat 0 poll 4 prec -6 dist 1.000000 disp 1.000000 ref (unspec)@0.000000000 [|ntp] (DF) (ttl 64, id 0, len 76) [tos 0xc0] (ttl 255, id 20476, len 104) [repeated 3 times] > A little background, > nat is (the nat/firewall/ntp machine) > bob is (the client) > if not correct please explain. Yes, correct. nat's main job is to do NAT and firewall stuff. > > On Wednesday 24 April 2002 10:51 pm, [EMAIL PROTECTED] wrote: > > > On Wed, Apr 24, 2002 at 10:26:13PM -0700, Ryan wrote: > > > > On Wednesday 24 April 2002 10:04 pm, [EMAIL PROTECTED] wrote: > > > > > Something is preventing port 123 UDP packets from going between > > > > > bob and nat, you can see packets be transmitted and no reply. It > > > > > could also be that your ntpd is configured to not accept > > > > > connections from bob. > > > > > > > > This can now be blamed on firewall rules. > > > > > > Something doesn't look right about this... > > > > > > Both ntdq and ntpdate create the same type of UDP based socket, > > > running from the same machine one of them gets replies the other > > > does not (the packets are different sizes). It is true that some > > > length based firewall checks could be blocking the replies... but > > > it's important to figure out what is broken before changing things > > > and I still don't have enough information. It could be either ntpd > > > or the firewall, since it could as likely be server configuration > > > (like only accepting certain client revisions). > > > > > > If it still doesn't work after you have fun looking through your > > > firewall rules install strace on the firewall and run the trace > > > requested below. If you can't use "apt-get install strace" then > > > remember it is simply one big executable, scp it to the firewall > > > from a similar machine and just run the binary from /tmp then > > > nuke it. > > > > _______________________________________________ > > vox-tech mailing list > > [EMAIL PROTECTED] > > http://lists.lugod.org/mailman/listinfo/vox-tech > > _______________________________________________ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
