From owner-freebsd-stable@FreeBSD.ORG Tue Jul 24 15:00:09 2007 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F42316A468 for ; Tue, 24 Jul 2007 15:00:09 +0000 (UTC) (envelope-from petefrench@ticketswitch.com) Received: from mail.ticketswitch.com (mail.ticketswitch.com [194.200.93.188]) by mx1.freebsd.org (Postfix) with ESMTP id 3E12013C474 for ; Tue, 24 Jul 2007 15:00:09 +0000 (UTC) (envelope-from petefrench@ticketswitch.com) Received: from dilbert.rattatosk ([10.50.50.6] helo=dilbert.ticketswitch.com) by mail.ticketswitch.com with esmtp (Exim 4.67 (FreeBSD)) (envelope-from ) id 1IDLrs-0001hB-Ee for freebsd-stable@FreeBSD.ORG; Tue, 24 Jul 2007 16:00:08 +0100 Received: from petefrench by dilbert.ticketswitch.com with local (Exim 4.67 (FreeBSD)) (envelope-from ) id 1IDLrs-0001U0-Di for freebsd-stable@FreeBSD.ORG; Tue, 24 Jul 2007 16:00:08 +0100 To: freebsd-stable@FreeBSD.ORG In-Reply-To: <200707241451.l6OEpq2O014634@lurza.secnetix.de> Message-Id: From: Pete French Date: Tue, 24 Jul 2007 16:00:08 +0100 Cc: Subject: Re: ntpd on a NAT gateway seems to do nothing X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2007 15:00:09 -0000 > Note that NTP does not use TCP, but UDP. Are you sure that > your filter rules are OK? It's certainly possible to have > a bug in the rule set so it forwards NTP replies for the > internal clients, but doesn't allow them to reach the ntpd > running on the machine itself. Yes, I discovered the UDPness of it last night and went through the rules again. I am pretty sure they are correct (or at least I cannot see anything wrong). I would assume that ntpdate also uses UDP - and using that I can see all these servers ? > Another question: Do you have a dynamically assigned IP > address? In that case ntpd needs to be restarted when a > new address is assigned, because ntpd has the unfortunate > habit to bind to all addresses that exist at the time it > is started. No, everything is static. It has to be some error in my PF config file somewhere I guess, just hard to work out where. > I'm running ntpd on a NAT gateway myself (RELENG_6), and > there are no problems at all. yes, I too am doing this on a machine elsewhere, which is why this is so frustrating! I know it works, I even have it working on a different network, and it particlaly works here too (it can see one NTP machine on the far side NAT, just none further away). I will continue looking Thanks, -pcf.