From owner-freebsd-questions@FreeBSD.ORG Thu Jan 22 01:21:58 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C562316A4CE for ; Thu, 22 Jan 2004 01:21:58 -0800 (PST) Received: from boudica.360i.ca (boudica.360i.ca [216.194.85.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA87843D3F for ; Thu, 22 Jan 2004 01:21:56 -0800 (PST) (envelope-from earonyk@360i.ca) Received: from zeta (d209-89-154-28.abhsia.telus.net [209.89.154.28]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by boudica.360i.ca (Postfix) with ESMTP id 2CAD461542 for ; Thu, 22 Jan 2004 02:21:31 -0700 (MST) From: "Edward Aronyk" To: Date: Thu, 22 Jan 2004 02:21:56 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcPgyS40GHREqRdoRou4M9t4Ukv4Kg== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Message-Id: <20040122092131.2CAD461542@boudica.360i.ca> Subject: NTP doesn't work behind IPF firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 09:21:59 -0000 Good day all, I'm attempting to setup NTP on two FreeBSD servers. To maximize security, I have configured NTP to only synchronize itself from a few other servers, and not offer NTP to other servers. The server runs IPF, which also blocks access to NTP. The problem is, the servers don't seem to update the time at all. I know ntp is running because it updates the driftfile, and ps shows it's active: # ps -aux | grep ntp root 81 0.0 0.2 1328 960 ?? Ss 9Jan04 1:06.65 /usr/sbin/ntpd -p /var/run/ntpd.pid root 83 0.0 0.2 1364 992 ?? S 9Jan04 0:15.67 /usr/sbin/ntpd -p /var/run/ntpd.pid root 47532 0.0 0.0 304 164 p0 R+ 2:14AM 0:00.00 grep ntp I can't seem to connect to it locally, however: # ntpq -p 127.0.0.1: timed out, nothing received ***Request timed out It is properly started from rc.conf: # cat /etc/rc.conf | grep ntp xntpd_enable="YES" And it does seem to be started during bootup: # cat /var/log/messages | grep ntp Jan 4 01:27:43 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0 Jan 4 01:27:43 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 intpin 2 Jan 4 01:27:43 boudica ntpd[82]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT 2003 (1) Jan 4 01:27:43 boudica ntpd[82]: kernel time discipline status 2040 Jan 9 20:51:21 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0 Jan 9 20:51:21 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 intpin 2 Jan 9 20:51:21 boudica ntpd[81]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT 2003 (1) Jan 9 20:51:21 boudica ntpd[81]: kernel time discipline status 2040 Does anyone have any advice? I'd prefer to leave the NTP port closed if possible. This problem is present for me on both FreeBSD 4.8 and 5.1. I have included my NTP configuration and IPF ruleset below incase it helps anyone. ---ntp.conf--- # cat /etc/ntp.conf server subitaneous.cpsc.ucalgary.ca prefer server tick.mit.edu server ntp1.cmc.ec.gc.ca server ntp2.cmc.ec.gc.ca server clock1.unc.edu driftfile /etc/ntp.drift restrict default ignore ---ntp.drift--- # cat /etc/ntp.drift 0.000 ---ipf.rules--- # cat /etc/ipf.rules # Default deny block in on fxp0 # Pass in and out on loopback pass in quick on lo0 pass out quick on lo0 # Anti-spoofing block in quick on fxp0 from 192.168.0.0/16 to any block in quick on fxp0 from 172.16.0.0/12 to any block in quick on fxp0 from 10.0.0.0/8 to any block in quick on fxp0 from 127.0.0.1/8 to any block in quick on fxp0 from 0.0.0.0/8 to any # Allow certain useful ICMP packets pass in quick on fxp0 proto icmp from any to any icmp-type 0 pass in quick on fxp0 proto icmp from any to any icmp-type 8 pass in quick on fxp0 proto icmp from any to any icmp-type 11 block in log quick on fxp0 proto icmp from any to any # Allow outbound connections pass out quick on fxp0 proto tcp/udp from any to any keep state pass out quick on fxp0 proto icmp from any to any keep state # Allow inbound useful packets pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep state keep frags # SSH pass in quick on fxp0 proto tcp from any to any port = 25 flags S keep state keep frags # SMTP pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep state keep frags # HTTP pass in quick on fxp0 proto tcp from any to any port = 110 flags S keep state keep frags # POP pass in quick on fxp0 proto tcp from any to any port = 143 flags S keep state keep frags # IMAP pass in quick on fxp0 proto tcp from any to any port = 993 flags S keep state keep frags # IMAP/SSL Thanks for your time, Edward Aronyk ed@360i.ca