Date: Thu, 22 Jan 2004 14:03:39 -0500 From: Ed Budd <ebudd@grokking.org> To: freebsd-questions@freebsd.org Subject: Re: NTP doesn't work behind IPF firewall? Message-ID: <20040122140339.2d3ee16c.ebudd@grokking.org> In-Reply-To: <20040122092131.2CAD461542@boudica.360i.ca> References: <20040122092131.2CAD461542@boudica.360i.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 22 Jan 2004 02:21:56 -0700 "Edward Aronyk" <earonyk@360i.ca> wrote: > Good day all, > > I'm attempting to setup NTP on two FreeBSD servers. To maximize > security, I have configured NTP to only synchronize itself from a few > other servers, and not offer NTP to other servers. The server runs > IPF, which also blocks access to NTP. The problem is, the servers > don't seem to update the time at all. I know ntp is running because it > updates the driftfile, and ps shows it's active: > > # ps -aux | grep ntp > root 81 0.0 0.2 1328 960 ?? Ss 9Jan04 1:06.65 > /usr/sbin/ntpd -p /var/run/ntpd.pid > root 83 0.0 0.2 1364 992 ?? S 9Jan04 0:15.67 > /usr/sbin/ntpd -p /var/run/ntpd.pid > root 47532 0.0 0.0 304 164 p0 R+ 2:14AM 0:00.00 > grep ntp > > I can't seem to connect to it locally, however: > > # ntpq -p > 127.0.0.1: timed out, nothing received > ***Request timed out > > It is properly started from rc.conf: > > # cat /etc/rc.conf | grep ntp > xntpd_enable="YES" > > And it does seem to be started during bootup: > > # cat /var/log/messages | grep ntp > Jan 4 01:27:43 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0 > Jan 4 01:27:43 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 > intpin 2 > Jan 4 01:27:43 boudica ntpd[82]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT > 2003(1) > Jan 4 01:27:43 boudica ntpd[82]: kernel time discipline status 2040 > Jan 9 20:51:21 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0 > Jan 9 20:51:21 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 > intpin 2 > Jan 9 20:51:21 boudica ntpd[81]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT > 2003(1) > Jan 9 20:51:21 boudica ntpd[81]: kernel time discipline status 2040 > > Does anyone have any advice? I'd prefer to leave the NTP port closed > if possible. This problem is present for me on both FreeBSD 4.8 and > 5.1. I have included my NTP configuration and IPF ruleset below incase > it helps anyone. > > ---ntp.conf--- > # cat /etc/ntp.conf > server subitaneous.cpsc.ucalgary.ca prefer > server tick.mit.edu > server ntp1.cmc.ec.gc.ca > server ntp2.cmc.ec.gc.ca > server clock1.unc.edu > > driftfile /etc/ntp.drift > > restrict default ignore > > ---ntp.drift--- > # cat /etc/ntp.drift > 0.000 > > ---ipf.rules--- > # cat /etc/ipf.rules > # Default deny > block in on fxp0 > > # Pass in and out on loopback > pass in quick on lo0 > pass out quick on lo0 > > # Anti-spoofing > block in quick on fxp0 from 192.168.0.0/16 to any > block in quick on fxp0 from 172.16.0.0/12 to any > block in quick on fxp0 from 10.0.0.0/8 to any > block in quick on fxp0 from 127.0.0.1/8 to any > block in quick on fxp0 from 0.0.0.0/8 to any > > # Allow certain useful ICMP packets > pass in quick on fxp0 proto icmp from any to any icmp-type 0 > pass in quick on fxp0 proto icmp from any to any icmp-type 8 > pass in quick on fxp0 proto icmp from any to any icmp-type 11 > block in log quick on fxp0 proto icmp from any to any > > # Allow outbound connections > pass out quick on fxp0 proto tcp/udp from any to any keep state > pass out quick on fxp0 proto icmp from any to any keep state > > # Allow inbound useful packets > pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep > state keep frags # SSH > pass in quick on fxp0 proto tcp from any to any port = 25 flags S keep > state keep frags # SMTP > pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep > state keep frags # HTTP > pass in quick on fxp0 proto tcp from any to any port = 110 flags S > keep state keep frags # POP > pass in quick on fxp0 proto tcp from any to any port = 143 flags S > keep state keep frags # IMAP > pass in quick on fxp0 proto tcp from any to any port = 993 flags S > keep state keep frags # IMAP/SSL > > > > Thanks for your time, > Edward Aronyk > ed@360i.ca > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" Hi, Not 100% sure on this but I think you need to include the loopback in your server list in ntp.conf, especially since you're specifying default ignore: server 127.0.0.1 Cheers, EB
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040122140339.2d3ee16c.ebudd>