From owner-freebsd-stable@FreeBSD.ORG Wed Jul 25 08:22:36 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94CF116A417 for ; Wed, 25 Jul 2007 08:22:36 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-20-82.belrs4.nsw.optusnet.com.au [220.239.20.82]) by mx1.freebsd.org (Postfix) with ESMTP id EFB3B13C469 for ; Wed, 25 Jul 2007 08:22:35 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.14.1/8.14.1) with ESMTP id l6P8MXPK001489; Wed, 25 Jul 2007 18:22:33 +1000 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.14.1/8.14.1/Submit) id l6P8MXPP001488; Wed, 25 Jul 2007 18:22:33 +1000 (EST) (envelope-from peter) Date: Wed, 25 Jul 2007 18:22:33 +1000 From: Peter Jeremy To: Andrew Reilly Message-ID: <20070725082233.GJ1241@turion.vk2pj.dyndns.org> References: <200707241451.l6OEpq2O014634@lurza.secnetix.de> <20070724192425.GV1162@turion.vk2pj.dyndns.org> <20070725003025.GA63332@duncan.reilly.home> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline In-Reply-To: <20070725003025.GA63332@duncan.reilly.home> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-stable@freebsd.org Subject: Re: ntpd on a NAT gateway seems to do nothing X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2007 08:22:36 -0000 --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2007-Jul-25 10:30:25 +1000, Andrew Reilly wrote: >On Wed, Jul 25, 2007 at 05:24:25AM +1000, Peter Jeremy wrote: >> On 2007-Jul-24 16:00:08 +0100, Pete French = wrote: >> Yes it does. The major difference is that ntpd will use a source >> port of 123 whilst ntpdate will use a dynamic source port. > >Is that behaviour that can be defeated? I don't believe so. > If it uses a fixed >source port, then multiple ntpd clients behind a nat firewall >will be competing for the same ip quadtuple at the NAT box. You might be better off running ntpd on the firewall and having the inside hosts sync to it. > (Or >does ipnat or pf have the ability to fake different source >addresses?) All NAT tools I've seen have the ability to either use multiple external addresses or re-write the source port to avoid clashes. Note that, by default, ntpd doesn't care about the source port of incoming packets (this can be controlled with the 'ntpport' option to 'restrict'). >(I've had what I think is this problem with a VPN setup, where >only one client behind the NAT firewall could run the VPN client >at a time, because the VPN protocol used a fixed port and UDP. >Maybe my NAT rules need more sophistication? I don't pay all >that much attention to it...) I suspect that either your NAT rules need to allow source port re-writing or the VPN protocol is fussier about having the source port. --=20 Peter Jeremy --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGpwhI/opHv/APuIcRAvPfAJ91dq+lSQoYE1Ka9X6e43gVThRHfQCePtrk m/pdECGCpvv3RLgxgmmJn/k= =6H2n -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l--