Date: Thu, 22 Jan 2004 02:21:56 -0700 From: "Edward Aronyk" <earonyk@360i.ca> To: <freebsd-questions@freebsd.org> Subject: NTP doesn't work behind IPF firewall? Message-ID: <20040122092131.2CAD461542@boudica.360i.ca>
next in thread | raw e-mail | index | archive | help
Good day all, I'm attempting to setup NTP on two FreeBSD servers. To maximize security, I have configured NTP to only synchronize itself from a few other servers, and not offer NTP to other servers. The server runs IPF, which also blocks access to NTP. The problem is, the servers don't seem to update the time at all. I know ntp is running because it updates the driftfile, and ps shows it's active: # ps -aux | grep ntp root 81 0.0 0.2 1328 960 ?? Ss 9Jan04 1:06.65 /usr/sbin/ntpd -p /var/run/ntpd.pid root 83 0.0 0.2 1364 992 ?? S 9Jan04 0:15.67 /usr/sbin/ntpd -p /var/run/ntpd.pid root 47532 0.0 0.0 304 164 p0 R+ 2:14AM 0:00.00 grep ntp I can't seem to connect to it locally, however: # ntpq -p 127.0.0.1: timed out, nothing received ***Request timed out It is properly started from rc.conf: # cat /etc/rc.conf | grep ntp xntpd_enable="YES" And it does seem to be started during bootup: # cat /var/log/messages | grep ntp Jan 4 01:27:43 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0 Jan 4 01:27:43 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 intpin 2 Jan 4 01:27:43 boudica ntpd[82]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT 2003 (1) Jan 4 01:27:43 boudica ntpd[82]: kernel time discipline status 2040 Jan 9 20:51:21 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0 Jan 9 20:51:21 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 intpin 2 Jan 9 20:51:21 boudica ntpd[81]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT 2003 (1) Jan 9 20:51:21 boudica ntpd[81]: kernel time discipline status 2040 Does anyone have any advice? I'd prefer to leave the NTP port closed if possible. This problem is present for me on both FreeBSD 4.8 and 5.1. I have included my NTP configuration and IPF ruleset below incase it helps anyone. ---ntp.conf--- # cat /etc/ntp.conf server subitaneous.cpsc.ucalgary.ca prefer server tick.mit.edu server ntp1.cmc.ec.gc.ca server ntp2.cmc.ec.gc.ca server clock1.unc.edu driftfile /etc/ntp.drift restrict default ignore ---ntp.drift--- # cat /etc/ntp.drift 0.000 ---ipf.rules--- # cat /etc/ipf.rules # Default deny block in on fxp0 # Pass in and out on loopback pass in quick on lo0 pass out quick on lo0 # Anti-spoofing block in quick on fxp0 from 192.168.0.0/16 to any block in quick on fxp0 from 172.16.0.0/12 to any block in quick on fxp0 from 10.0.0.0/8 to any block in quick on fxp0 from 127.0.0.1/8 to any block in quick on fxp0 from 0.0.0.0/8 to any # Allow certain useful ICMP packets pass in quick on fxp0 proto icmp from any to any icmp-type 0 pass in quick on fxp0 proto icmp from any to any icmp-type 8 pass in quick on fxp0 proto icmp from any to any icmp-type 11 block in log quick on fxp0 proto icmp from any to any # Allow outbound connections pass out quick on fxp0 proto tcp/udp from any to any keep state pass out quick on fxp0 proto icmp from any to any keep state # Allow inbound useful packets pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep state keep frags # SSH pass in quick on fxp0 proto tcp from any to any port = 25 flags S keep state keep frags # SMTP pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep state keep frags # HTTP pass in quick on fxp0 proto tcp from any to any port = 110 flags S keep state keep frags # POP pass in quick on fxp0 proto tcp from any to any port = 143 flags S keep state keep frags # IMAP pass in quick on fxp0 proto tcp from any to any port = 993 flags S keep state keep frags # IMAP/SSL Thanks for your time, Edward Aronyk ed@360i.ca
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040122092131.2CAD461542>