From owner-freebsd-questions@FreeBSD.ORG Thu Jan 22 11:03:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B07216A4CE for ; Thu, 22 Jan 2004 11:03:50 -0800 (PST) Received: from chomsky.sohotech.ca (ottawa-hs-64-26-169-251.s-ip.magma.ca [64.26.169.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id D461E43D31 for ; Thu, 22 Jan 2004 11:03:41 -0800 (PST) (envelope-from ebudd@grokking.org) Received: from localhost (proudhon.sohotech.ca [192.168.1.5]) (authenticated bits=0) by chomsky.sohotech.ca (8.12.9p1/8.12.9) with ESMTP id i0MJ3eZh065342 for ; Thu, 22 Jan 2004 14:03:40 -0500 (EST) (envelope-from ebudd@grokking.org) Date: Thu, 22 Jan 2004 14:03:39 -0500 From: Ed Budd To: freebsd-questions@freebsd.org Message-Id: <20040122140339.2d3ee16c.ebudd@grokking.org> In-Reply-To: <20040122092131.2CAD461542@boudica.360i.ca> References: <20040122092131.2CAD461542@boudica.360i.ca> X-Mailer: Sylpheed version 0.9.8a (GTK+ 1.2.10; i386-portbld-freebsd5.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: NTP doesn't work behind IPF firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 19:03:50 -0000 On Thu, 22 Jan 2004 02:21:56 -0700 "Edward Aronyk" wrote: > Good day all, > > I'm attempting to setup NTP on two FreeBSD servers. To maximize > security, I have configured NTP to only synchronize itself from a few > other servers, and not offer NTP to other servers. The server runs > IPF, which also blocks access to NTP. The problem is, the servers > don't seem to update the time at all. I know ntp is running because it > updates the driftfile, and ps shows it's active: > > # ps -aux | grep ntp > root 81 0.0 0.2 1328 960 ?? Ss 9Jan04 1:06.65 > /usr/sbin/ntpd -p /var/run/ntpd.pid > root 83 0.0 0.2 1364 992 ?? S 9Jan04 0:15.67 > /usr/sbin/ntpd -p /var/run/ntpd.pid > root 47532 0.0 0.0 304 164 p0 R+ 2:14AM 0:00.00 > grep ntp > > I can't seem to connect to it locally, however: > > # ntpq -p > 127.0.0.1: timed out, nothing received > ***Request timed out > > It is properly started from rc.conf: > > # cat /etc/rc.conf | grep ntp > xntpd_enable="YES" > > And it does seem to be started during bootup: > > # cat /var/log/messages | grep ntp > Jan 4 01:27:43 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0 > Jan 4 01:27:43 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 > intpin 2 > Jan 4 01:27:43 boudica ntpd[82]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT > 2003(1) > Jan 4 01:27:43 boudica ntpd[82]: kernel time discipline status 2040 > Jan 9 20:51:21 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0 > Jan 9 20:51:21 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 > intpin 2 > Jan 9 20:51:21 boudica ntpd[81]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT > 2003(1) > Jan 9 20:51:21 boudica ntpd[81]: kernel time discipline status 2040 > > Does anyone have any advice? I'd prefer to leave the NTP port closed > if possible. This problem is present for me on both FreeBSD 4.8 and > 5.1. I have included my NTP configuration and IPF ruleset below incase > it helps anyone. > > ---ntp.conf--- > # cat /etc/ntp.conf > server subitaneous.cpsc.ucalgary.ca prefer > server tick.mit.edu > server ntp1.cmc.ec.gc.ca > server ntp2.cmc.ec.gc.ca > server clock1.unc.edu > > driftfile /etc/ntp.drift > > restrict default ignore > > ---ntp.drift--- > # cat /etc/ntp.drift > 0.000 > > ---ipf.rules--- > # cat /etc/ipf.rules > # Default deny > block in on fxp0 > > # Pass in and out on loopback > pass in quick on lo0 > pass out quick on lo0 > > # Anti-spoofing > block in quick on fxp0 from 192.168.0.0/16 to any > block in quick on fxp0 from 172.16.0.0/12 to any > block in quick on fxp0 from 10.0.0.0/8 to any > block in quick on fxp0 from 127.0.0.1/8 to any > block in quick on fxp0 from 0.0.0.0/8 to any > > # Allow certain useful ICMP packets > pass in quick on fxp0 proto icmp from any to any icmp-type 0 > pass in quick on fxp0 proto icmp from any to any icmp-type 8 > pass in quick on fxp0 proto icmp from any to any icmp-type 11 > block in log quick on fxp0 proto icmp from any to any > > # Allow outbound connections > pass out quick on fxp0 proto tcp/udp from any to any keep state > pass out quick on fxp0 proto icmp from any to any keep state > > # Allow inbound useful packets > pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep > state keep frags # SSH > pass in quick on fxp0 proto tcp from any to any port = 25 flags S keep > state keep frags # SMTP > pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep > state keep frags # HTTP > pass in quick on fxp0 proto tcp from any to any port = 110 flags S > keep state keep frags # POP > pass in quick on fxp0 proto tcp from any to any port = 143 flags S > keep state keep frags # IMAP > pass in quick on fxp0 proto tcp from any to any port = 993 flags S > keep state keep frags # IMAP/SSL > > > > Thanks for your time, > Edward Aronyk > ed@360i.ca > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" Hi, Not 100% sure on this but I think you need to include the loopback in your server list in ntp.conf, especially since you're specifying default ignore: server 127.0.0.1 Cheers, EB