NTP, ntpdate, and ISP-based firewall
Don Levey
fedora-list at the-leveys.us
Wed Mar 3 22:26:21 UTC 2004
fedora-list-admin at redhat.com wrote:
> Don Levey wrote:
>> I've been trying to set up an NTP server within my own local
>> network, and have it sync with an outside server. It appears that
>> my ISP is blocking NTP access; I can get a sync only when I run
>> ntpdate -u.
>>
>> While I could do that manually, or even set it up as a cron job, I'd
>> rather set up ntpd to do this at intervals if possible. Any
>> suggestions as to how I can configure ntpd to work correctly, and/or
>> pointers to tutorials that might help?
>
> What does your /etc/ntp.conf file look like currently?
> Are you sure ntp packets are going out but not returning?
> ('tcpdump port ntp' or 'tcpdump port 123' might help debug this.)
>
Well, I get *something* by looking in tcpdump, but I need to read up on it
before I can comment intelligently on what I'm seeing. It does look like my
traffic is going out, and something is coming back, but I don't know what.
I'll copy my conf file below.
> On a side note, what kind of fascist, unfriendly ISP blocks NTP
> traffic? Correct timekeeping is essential for a properly run network
> (especially if you have shared filesystems or want to be able to merge
> logfiles).
As this is a home network, run off of a cable modem, they will often block
port traffic. I've got a query in to them now on whether or not they're
blocking 123; I've seen pages brought up by a Google search that say that at
least some ISPs do this.
Thanks again,
-Don
ntp.conf (some comments excised):
# Prohibit general access to this service.
restrict default ignore
restrict 69.22.157.240 mask 255.255.255.255 nomodify notrap noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- GENERAL CONFIGURATION ---
#
#server 127.127.1.0 # local clock
server 69.22.157.240
server ntp.ourconcord.net
server ntp-0.cso.uiuc.edu
fudge 127.127.1.0 stratum 10
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/drift
broadcastdelay 0.008
keys /etc/ntp/keys
More information about the users
mailing list